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(54) DEVICE FOR REPRODUCING DATA 

(57) A cellular phone ( 1 00) stores encrypted content 
data and encrypted license key distributed tliereto in a 
memory card (110). The cellular phone (100) and the 
memory card (110) collectively perfomi a part of mutual 
authentication processing upon power-on. The encrypt- 
ed license key (Kc) read from the memory card (110) is 

nG.4 



decrypted by a first decryption processing portion 
(1510) with a session key (Ks4), and is further decrypted 
by a second decryption processing portion (1514) with 
a system symmetric key (Kcom) for extraction. A third 
encryption processing portion (1516) decrypts the en- 
crypted content data read from memory card (110) with 
the license key (Kc) to reproduce content data (Data). 
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Description 
Technical Field 

[0001] The present invention relates to a data repro- 
ducing device used in an information distribution sys- 
tem, which can distribute infomiatlon to temnlnals such 
as cellular phones, and can secure a copyright relating 
to copied information. 

Background Art 

[0002] Owing to progress In infomiatlon communica- 
tion networks such as Internet in recent years, users can 
easily access network information through personal ter- 
minals employing cellular phones or the like. 
[0003] In such infomnation communication, infonna- 
tion is transmitted as. digital signals. Therefore, each 
user can copy music data and video data, which are 
transmitted via the information communication network, 
without degradation in the audio quality and picture 
quality. 

[0004] Accordingly, the right of the copyright owner 

may be significantly infringed when copyrighted content 
data such as music information and image data are 
transmitted over the infonnation communication net- 
work without appropriate measures for protecting the 
copyrights. 

[0005] Conversely, top priority may be given to the 
copyright protection by disabling or inhibiting distribution 
of content data over the digital data communication net- 
wori<, which is growing exponentially. However, this 
causes disadvantages to the copyright owner who can 
essentially collect a predetermined copyright royalty for 
copying copyrighted materials. 
[0006] I n the case where the copyrighted content data 
such as music data is distributed over a digital infomna- 
tion network, e.g., configured as described above, each 
user records the distributed content data on an appro- 
priate recording device, and then reproduces it by a re- 
producing device. 

[0007] The recording device for such a purpose may 
be a medium such as a memory card, which allows elec- 
trical writing and erasing of data. 
[0008] Further, the device for reproducing the content 
data may be fonmed of a cellular phone itself, which is 
used for receiving the content data, or may be a dedi- 
cated reproducing device if the recording device Is a 
memory card or the like, and is removably attached to 
the device receiving the distribution data. 
[0009] In the above case, security measures are re- 
quired for the record medium so that the distributed con- 
tent data cannot be freely transferred from the record 
medium receiving the data of another record medium or 
the like without authorization from a copyright owner 
[0010] For improving the security of the above sys- 
tem, which is configured to transfer data between devic- 
es fomiing the system and/or through an externally ac- 



cessible region within the device, it is necessary to give 
sufficient consideration to authentication processing, 
encryption processing and others. 
[001 1 ] As a higher level of security is employed in the 
5 authentication processing and encryption processing, 
an unnecessarily longer time is required even In a reg- 
ular device before starting the reproduction of the con- 
tent data for listening or viewing it. 

10 Disclosure of the I nvention 

[0012] An object of the invention is to provide a data 
reproducing device for reproducing distributed content 
data held in a recording device, and particularly a data 
15 reproducing device having a function of protecting the 
content data from unauthorized access to the content 
data by a person other than a user. 
[0013] Another object of the Invention Is to provide a 
data reproducing device, which can improve a security 
20 of a data distribution system, and can quickly start 
processing of reproducing content data. 
[001 4] For achieving the above objects, the invention 
provides a data reproducing device for decrypting en- 
crypted content data to reproduce content data, includ- 
es ing a data storing portion and a data reproducing por- 
tion. 

[0015] The data storing portion holds the encrypted 
content data and a license key for decrypting the en- 
crypted content data, outputs the license key in an en- 

30 crypted form and is removably attached to the data re- 
producing device. The data reproducing portion re- 
ceives the output of the data storing portion, and repro- 
duces the encrypted content data. The data reproducing 
portion Includes a first decryption processing portion, a 

35 second decryption processing portion and an authenti- 
cation key holding portion. The first decrypting portion 
extracts the license key by perfonning decryption 
processing with the first decryption key based on the en- 
crypted license key applied from the data storing por- 

40 tion. The second decrypting portion receives the en- 
crypted content data read from the data storing portion, 
and encrypts the content data by decrypting the re- 
ceived content data with the output of the first decryption 
processing portion. The authentication key holding por- 

45 tion encrypts authentication data with a public authenti- 
cation key, and holds the encrypted-authentication data 
for outputting the encrypted authentication data to the 
data storing portion.. The data storing portion includes 
a third decryption processing portion and a control cir- 

50 cuit. The third encryption processing portion decrypts 
the authentication data encrypted with the public au- 
thentication key and applied from the data reproducing 
portion, and extracts the decrypted authentication data. 
The control circuit perfomns authentication processing 

55 based on the authentication data extracted by the third 
decryption processing portion. The control circuit per- 
fomns at least a part of the authentbation processing 
during a predetemnined period common to a plurality of 
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reproduction operations of the encrypted content data. 
[001 6] Preferably, the predetermined period is a peri- 
od detemnined within an active period of the data repro- 
ducing device and after attachment of the data storing 
portion to the data producing portion. 5 
[001 7] Preferably, the predetemiined period is a peri- 
od determined after the reproducing device carrying the 
data storing portion becomes active. 
[001 8] In a distribution system of the data reproducing 
device according to the invention, therefore, a part of io 
the processing of mutually authenticating the data re- 
producing device and a memory card is commonly uti- 
lized by a plurality of reproduction operations so that 
each reproduction operation can be perfomied rapidly. 

15 

Brief Description of the Drawings 
[0019] 

Fig. 1 conceptually shows a whole structure of a da- 20 
ta distribution system according to the Invention; 
Fig. 2 represents characteristics of data, infomia- 
tion and others used for communication in the data 
distribution system shown in Fig. 1 ; 
Fig. 3 is a schematic block diagram showing a struc- 25 
ture of a license server 1 0; 
Fig. 4 is a schematic block diagram showing a struc- 
ture of a cellular phone 100; 
Fig. 5 Is a schematic block diagram showing a struc- 
ture of a memory card 110; 30 
Fig. 6 is a flowchart representing a reproduction in- 
itialization session in cellular phone 100 according 
to the first embodiment; 

Fig. 7 is a flowchart representing a reproducing op- 
eration for reproducing music in cellular phone 1 00 35 
according to the first embodiment; 
Fig. 8 Is a first flowchart representing a distributing 
operation in the data distribution system according 
to the first embodiment; 

Fig. 9 is a second flowchart representing the distrib- 40 
uting operation in the data distribution system ac- 
cording to the first embodiment; 
Fig. 10 Is a third flowchart representing the distrib- 
uting operation in the data distribution system ac- 
cording to the first embodiment; 45 
Fig. 11 is a first flowchart representing a transfer op- 
eration for transfer between two memory cards ac- 
cording to the first embodiment; 
Fig. 1 2 is a second flowchart representing the trans- 
fer operation for transfer between the two memory so 
cards according to the first embodiment; 
Fig. 1 3 is a third flowchart representing the transfer 
operation for transfer between the two memory 
cards according to the first embodiment; 
Fig. 1 4 represents characteristics of data, Infomria- S5 
tion and others used for communication in the data 
distribution system of the second embodiment; 
Fig. 15 Is a schematic block diagram showing a 



structure of a memory card 114 of the second em- 
bodiment; 

Fig. 1 8 Is a first flowchart representing a distributing 
operation performed when purchasing contents in 
the data distribution system according to the sec- 
ond embodiment; 

Fig. 17 Is a second flowchart representing the dis- 
tributing operation performed when purchasing 
contents in the data distribution system according 
to the second embodiment; 
Fig. 18 Is a third flowchart representing the distrib- 
uting operation perfomied when purchasing con- 
tents In the data distribution system according to the 
second embodiment; 

Fig. 1 9 is a flowchart representing operations of var- 
ious portions in the reproduction session of a sys- 
tem using a memory card of the second embodi- 
ment; 

Fig. 20 is a first flowchart representing a transfer 
operation for transfer between two memory cards 
according to the second embodiment; 
Fig. 21 is a second flowchart representing the trans- 
fer operation for transfer between the two memory 
cards according to the second embodiment; 
Fig. 22 is a third flowchart representing the transfer 
operation for transfer between the two memory 
cards according to the second embodiment; 
Fig. 23 represents characteristics of data, informa- 
tion and others used for communication in the data 
distribution system of the third embodiment; 
Fig. 24 shows a structure of a license server 11 ac- 
cording to the third embodiment; 
Fig. 25 is a schematic block diagram showing a 
structure of a cellular phone 103; 
Fig. 26 is a first flowchart representing a distributing 
operation performed when purchasing contents in 
the data distribution system according to the third 
embodiment; 

Fig. 27 is a second flowchart representing the dis- 
tributing operation perfomied when purchasing 
contents in the data distribution system according 
to the third embodiment; 

Fig. 28 is a third flowchart representing the distrib- 
uting operation perfomied when purchasing con- 
tents in the data distribution system according to the 
third embodiment; 

Fig. 29 is a flowchart representing operations of var- 
ious portions in the reproduction session of a sys- 
tem using a memory card of the third embodiment; 
Fig. 30 is a first flowchart representing a transfer 
operation for transfer between two memory cards 
according to the third embodiment; 
Fig. 31 is a second flowchart representing the trans- 
fer operation for transfer between the two memory 
cards according to the third embodiment; and 
Fig. 32 is a third flowchart representing the transfer 
operation for transfer between the two memory 
cards according to the third embodiment. 
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Best Mode for Carrying Out the Invention 

[0020] Embodiments of the invention will now be de- 
scribed with reference to the drawings. 

[First Embodiment] 

[0021] Fig. 1 conceptually shows a whole structure of 
an infonnation distribution system according to the in- 
vention. 

[0022] The following description will be given by way 
of example on a structure of a data distribution system, 
in which music data is distributed to users over a cellular 
phone network. As will be apparent from the following 
description, the invention is not restricted to such an ex- 
ample, and may be applied to other cases, in which con- 
tent data such as image data, movie data, educational 
material data, recitation (voice) data or a game program 
is distributed over another information communication 
network. 

[0023] Referring to Fig. 1 , a license server 1 0 admin- 
istrating copyrighted music data encrypts music data 
(which will be also referred to as "content data" herein- 
after) in a predetenmined encryption manner, and ap- 
plies the data thus encrypted to a cellular phone com- 
pany, which is a distribution canrier 20 for distributing in- 
fonnation. An authentication server 12 detemnines 
whether a cellular phone and a memory card of a user, 
who made access for requesting for distribution of the 
content data, are regular devices or not. 
[0024] Distribution earner 20 relays over its own cel- 
lular phone networi( the distribution request received 
from each user to license server 1 0. When license serv- 
er 10 receives the distribution request, authentication 
server 12 detemiines whether the cellular phone and 
memory card of the user are regular devices or not. After 
it is confinned that these are regular devices, license 
server 10 encrypts the requested content infomiation, 
and distributes the content data to the user's cellular 
phone over the cellular phone network of distribution 
carrier 20. 

[0025] In Fig. 1, a cellular phone 100 of a user 1 in- 
cludes, e.g., a memory card 1 1 0, which is releasably at- 
tached thereto. Memory card 110 receives encrypted 
content data received by cellular phone 100, decrypts 
the data encrypted for the transmission, and applies the 
data to a music reproducing unit (not shown) in cellular 
phone 100. 

[0026] Further, user 1 can listen to music, which is 
produced by reproducing such content data, via head- 
phones 130 or the like connected to cellular phone 100. 
[0027] In the following description, license server 1 0, 
authentk^atlon server 1 2 and distribution canier (cellular 
phone company) 20 described above will be collectively 
refen'ed to as a "music server 30" hereinafter. 
[0028] Also, the processing of transmitting the content 
data from music server 30 to each cellular phone or the 
like will be refen^ed to as "distribution" hereinafter. 
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[0029] Owing to the above stmcture, a user other than 
a regular user, who purchased a regular cellular phone 
and a regular memory card, cannot receive and repro- 
duce the data distributed from music server 30 without 
difficulty. 

[0030] Further, the system may be configured as fol- 
lows. By counting the times of distribution of content da- 
ta, e.g., for one song in distribution carrier 20, the royalty, 
which is charged every time the user receives the dis- 
tributed content data, can be collected by distribution 
can-ier 20 together with charges for telephone calls so 
that the copyright owner can easily ensure the royalty. 
[0031] The foregoing distribution of the content data 
is periomned over a closed system, i.e., the cellular 
phone network so that it is easy to take measures for 
the copyright protection, compared with open systems 
such as the Internet. 

[0032] For example, a user 2 having a memory card 
112 can receive content data directly from music server 
30 by user's own cellular phone 1 02. However, such da- 
ta reception may take a relatively long time if user 2 re- 
ceives the content data or the like having a large infor- 
mation amount directly from music server 30. In connec- 
tion with this, the system may be configured such that 
user 2 can copy the content data of user 1 , who has 
already received it. This improves the convenience of 
users. 

[0033] From the viewpoint of protecting right of the 
copyright owner, it is not allowed to provide a system 
configuration allowing free copying of content data. 
[0034] In an example shown in Fig. 1, an operation, 
in which the content data itself received by user 1 is cop- 
ted, and reproduction infonmation required for reproduc- 
ing the content data of user 1 is moved or transferred to 
user 2, is refenred to as "transfer** of the music data. In 
this case, the encrypted content data and the informa- 
tion (i.e., reproduction information) required for the re- 
production are transferred between memory cards 110 
and 1 1 2 via cellular phones 1 00 and 1 02. As will be de- 
scribed later, the above "reproduction information" has 
a license key, which allows decryption or decoding of 
the content data encrypted In accordance with the pre- 
detennlnedcryptosystem, as well as license infomiation 
such as a license ID and infonnation relating to restric- 
tions on access and reproduction. 
[0035] In contrast to the "transfer", an operation of 
copying content data itself is refen^ed to as "duplication". 
In the duplication, reproduction infonnation required is 
not duplicated so that user 2 content data cannot repro- 
duce the content data. Although not described in detail, 
user 2 can reproduce the content data by perfonning 
additional distribution of only the reproduction informa- 
tion including the license key. 
[0036] Owing to the above structures, a user who re- 
ceived the content data from distribution server 30 can 
flexibly utilize the data. 

[0037] If cellular phones 1 00 and 1 02 are PHSs (Per- 
sonal Mandy Phones), a telephone conversation can be 
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performed m a so-called transceiver mode. By using this 
function, infonnation can be transferred between users 
1 and 2. 

[0038] In the structure shown in Fig.1 , the system re- 
quires the following cryptosystems and structure for re- 5 
producing the content data, which is distributed in the 
encrypted form, on the user side. First, the system re- 
quires a cryptosystem for distributing an encryption key 
in the communication. Second, the system requires a 
cryptosystem for encrypting the data itself to be distrib- 
uted. Third, the system requires a structure for protect- 
ing data by preventing unauthorized copying of the dis- 
tributed data. 

[0039] In the embodiment of the invention, when each 
of sessions of distribution and reproduction occurs, the 
destination or receiver of the content data is verified and 
checlced sufficiently, and the content reproducing circuit 
(e.g., a cellular phone) can start the reproduction of the 
content data within a reduced time. The structures for 
these operations and effects will now be described. 

[Structures of Data and Keys in System] 

[0040] Fig. 2 co llectivety represents characteristics of 
keys relating to encryption for communication In the data 
distribution system shown in Fig. 1 as well as data and 
others to be distributed. 

[0041] First, data Data is content data such as music 
data distributed from the distribution server. As will be 
described later, content data Data distributed from dis- 
tribution server 30 takes a form of encrypted content da- 
ta {Data}Kc, which is encrypted to allow decryption at 
least with a license key Kc. 

[0042] In the following description, expression "{YIX" 
represents that the data indicated by this expression 
was prepared by converting data Y into an encrypted 
form decodable with a decryption key X. 
[0043] Together with the content data, distribution 
server 30 distributes additional information data Data- 
inf in plain text, which relates to the content data, or re- 
lates to access to the server. More specifically, addition- 
al infonnation data Data-inf includes infomnation for 
specifying a song title, an artist name and others of the 
content data, and also includes infonnation for specify- 
ing distribution server 30 and other infonnation. 
[0044] The following keys are used for encryption 
processing and decryption/reproduction processing of 
the content data as well as for authentication of the con- 
tent reproducing circuit (i.e., cellular phone) and the re- 
cording device (i.e., memory card). 
[0045] As already described, license key Kc is used 
for decrypting and encrypting the content data. Also, 
public encryption key KPp(n) is used for authentication 
of the content reproducing circuit (cellular phone 100) 
and public encryption key KPmc(n) is used for authen- 
tication of the memory card. 

[0048] The data encrypted with public encryption keys 
KPp(n) and KPmc(n) can be decrypted with private de- 



cryption key Kp(n) and private decryption key Kmc(n) 
unique to the memory card. These unique private de- 
cryption keys for each cellular phone or each memory 
card have contents different from those of the other 
kinds of cellular phones or the other kinds of memory 
cards. These kinds of the cellular phones and memory 
cards depend on respective units, which are determined 
based on kinds of manufacturers of them, manufactur- 
ing dates or periods (manufacturing lots) and others. 
The natural number "n" is added for identifying the kind 
of each memory card and each content reproducing cir- 
cuit (cellular phone). The unit, which is common to public 
encryption keys KPmc(n) and KPp(n), will be referred to 
as a "class" hereinafter. 

[0047] As secret keys common to the content repro- 
ducing circuit, the system employs a secret key Kcom, 
which is primarily utilized for obtaining license key Kc 
and restriction Information for the content reproducing 
circuit to be described later, as well as an authentbation 
key KPma operated commonly in whole the distribution 
system. Secret key Kcom is a decryption key in the sym- 
metric key cryptosystem, and therefore is held as the 
encryption key in the distribution server. 
[0048] Secret key Kcom is not restricted to the decryp- 
tion key in the symmetric key cryptosystem, and may 
have a similar structure as private key in the public key 
cryptosystem. In this case, the distribution server may 
be configured to hold public encryption key KPcom, 
which Is asymmetric to the decryption key.as an encryp- 
tion key. 

[0049] Public encryption keys KPmc(n) and KPp(n), 
which are detennlned depending on the memory card 
and the content reproducing circuit as described above, 
are recorded In the memory card and the cellular phone 
before shipment, and take the forms of authentication 
data {KPmc(n)}KPma and {KPp{n)}KPma, respectively. 
The authentication data is a key, which can be decrypted 
with authentication key KPma to verify the validity of the 
authentication data from results of this decryption. In 
other words, the authentication data Is a key used for 
authorizing the public encryption key The encryption for 
producing the authentication data is perfonned with a 
private key K, whbh is paired with and is asymmetric to 
the authentication key. 

[0050] Further, the system uses Infonnation for con- 
trolling operations of the devices fonning the system, i. 
e., devices such as cellular phone 100 (i.e., content re- 
producing circuit) and memory card 110, and the above 
infonnation includes purchase conditions information 
AC, which is sent from cellular phone 1 00 to distribution 
server 30 for designating purchase conditions when the 
user purchases the license key or the like, access re- 
striction Information AC1, which is distributed from dis- 
tribution server 30 to memory card 110 in accordance 
with purchase condition infonnation AC for representing 
restrictions or the like on the allowed times of access to 
memory card 110, and reproducing circuit restriction in- 
formation AC2, which is distributed from distribution 
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server 30 to cellular phone 1 00 for representing restric- 
tions on the reproduction conditions of the content re- 
producing circuit. For example, the reproduction condi- 
tions of the content reproducing circuit relate to condi- 
tions, which are used when a sample of a new song is 5 
distributed at a low price or no charge for sales promo- 
tion, and allow reproduction from the start of the content 
data only for a limited time. 

[0051] As keys for administering the data in memory 
card 110, the system employs private encryption l<ey 
KPm(i) (i: natural number) determined for each medium, 
i.e., memory card, and private decryption key Km(i), 
whtoh is unique to each memory card and allows de- 
cryption of the data encrypted with private encryption 
key KPm(i). The natural number "i" is added for identi- 
fying each memory card from the others. 
[0052] Further, the data distribution system shown in 
Fig. 1 uses the following keys and others in the data 
communication. 

[0053] As the encryption keys for keeping secrecy in 
the data transmission from and into the memory card, 
the system uses symmetric keys Ksl - Ks4, which are 
produced by distribution server 30. cellular phone 100 
or 102, and memory card 110 or 112 upon every distri- 
bution, reproduction and transfer of the reproduction in- 
fonmation. 

[0054] Symmetrk; keys Ksl - Ks4 are unique symmet- 
ric keys, and are generated in response to every "ses- 
sion", which is a unit of communication or access be- 
tween or to the distribution server, cellular phone and/ 
or memory card. These symmetric keys Ksl - Ks4 will 
be referred to as "session keys" hereinafter. 
[0055] These session keys Ks1 • Ks4 have values 
unique to each communication session, and is adminis- 
tered by the distribution server, cellular phone and mem- 
ory card. 

[0056] More specifically, the license server in the dis- 
tribution server generates session key Ks1 in response 
to every distribution session. The memory card gener- 
ates session key Ks2 In response to every distribution 
session and every transfer session (receiving side). The 
memory card likewise generates session key Ks3 in re- 
sponse to every reproduction session and every transfer 
session (sending side). The cellular phone generates 
session key Ks4 in response to every reproduction ses- 
sion. In each session, these session keys are ex- 
changed, and the session key produced by another de- 
vice is received, and is used for encrypting the license 
key therewith, and then the license key and others thus 
encrypted are sent so that the security level in the ses- 
sions can be improved. 

[0057] Further, the data transmitted between the dis- 
tribution server and the cellular phone Includes a con- 
tent ID, by which the system identifies the content data, 
a license ID which is an administration code for speci- 
fying the time and the receiver of the issued license, and 
a transaction ID which is a code produced in response 
to every distribution session for specifying each distri- 



bution session. 

[Structure of License Server 10] 

[0058] Fig. 3 is a schematic block diagram showing a 
structure of license server 1 0 shown in Fig. 1 . 
[0059] License server 1 0 includes an information da- 
tabase 304 which holds data for distributing the data 
prepared by encrypting the music data (content data) in 
accordance with a predetennined cryptosystem as well 
as the license ID and others, an accounting database 
-302 for holding accounting data according to start of 
access to the music data for each user, a data process- 
ing portion 310, which receives data from infomriation 
database 304 and accounting database 302 via a data 
bus BS1 , and performs predetermined processing, and 
a communication device 350 for performing data trans- 
mission between distribution canrier 20 and data 
processing portion 310 over a communication network. 
[0060] Data processing portion 31 0 includes a distri- 
bution control portion 315 for controlling an operation of 
data processing portion 31 0 in accordance with data on 
data bus BS1 , a session key generating portion 316 for 
generating session key Ksl during the distribution ses- 
sion under control of distribution control portion 315, a 
decryption processing portion 312 for receiving authen- 
tication data {KPmc(n)}KPma and {KPp(n)}KPma, 
which are encrypted to represent their validity by de- 
cryption, and are sent from the memory card and the 
cellular phone, respectively, via communication device 
350 and a data bus BS1 , and decrypting it with authen- 
tication key KPma, an encryption processing portion 
31 8, which encrypts session key Ksl produced by ses- 
sion key generating portion 316 with public encryption 
key KPmc(n) obtained by decryption processing portion 
312, and outputs the encrypted key onto data bus BS1 , 
and a decryption processing portion 320 for receiving 
the data, which is encrypted with session key Ks1 on 
each user side and is sent therefrom, via data bus BS1 
and decrypting the same. 

[0061] Data processing portion 310 further includes a 
Kcom holding portion 322 for holding secret key Kcom 
symmetry to the reproducing circuit as an encryption 
key, an encryption processing portion 324 for encrypting 
license key Kc and reproducing circuit restriction infor- 
mation AC2 applied from distribution control portion 315 
with encryption key KPcom symmetric to the reproduc- 
ing circuit, an encryption processing portion 326 for en- 
crypting the data sent from encryption processing por- 
tion 324 with public encryption key KPm(i), which is ob- 
tained by decryption processing portion 320 and is 
unique to the memory card, and an encryption process- 
ing portion 328 for further encrypting the output of en- 
cryption processing portion 326 with session key Ks2 
applied from decryption processing portion 320, and 
outputting the same onto data bus BS1 . 
[0062] In the structure-described above, license serv- 
er 1 0 utilizes secret key Kcom in the symmetric key cryp- 
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tosystem as the encryption key. According to the public 
key cryptosystem, however, Kcom holding portion 322 
holds public encryption key KPcom, which is asymmet- 
ric to secret key Kcom and can perfomfi decryption into 
a form decodable with secret key Kcom, if secret key 5 
Kcom is private decryption key on the cellular phone 
side. 

[Structure of Cellular Phone 100] 

10 

[0063] Fig. 4 is a schematic block diagram showing a 
structure of cellular phone 1 00 shown in Fig. 1 . 
[0064] In cellular phone 1 00, natural number n repre- 
senting the class is equal to one. 
[0065] Cellular phone 100 has an antenna 1102 for is 
receiving radio signals sent over the cellular phone net- 
work, a send/receive protion 1 1 04 for converting the sig- 
nals received from antenna 11 02 into baseband signals, 
and for modulating data sent from cellular phone 100 
and sending it to antenna 1102, data bus BS2 for data 20 
transmission between various portions in cellular phone 
100, and a controller 1106 for controlling operations of 
cellular phone 100 via data bus BS2. 
[0066] Cellularphone 100 further includes a touch key 
unit 1 1 08 for externally applying instructions to cellular 25 
phone 100, a display 1110 for giving infomiation sent 
from controller 11 06 or the like to the user as visible in- 
fomiation, a voice reproducing portion 1112 for operat- 
ing in an ordinary conversation operation to reproduce 
a voice from the received data sent via database BS2, 30 
a connector 1 1 20 for external data transmission, and an 
external interface portion 1122, which can convert the 
data sent from connector 1 1 20 into signals to be applied 
onto data bus BS2, and can convert the data applied 
from data bus BS2 into signals to be applied to connec- 35 
tor 1120. 

[0067] Cellular phone 1 00 further includes removable 
memory card 1 1 0 for storing and decrypting content da- 
ta (music data) sent from distribution server 30, a mem- 
ory interface 1200 for controlling transmission of data 40 
between memory card 1 1 0 and data bus BS2, and an 
authentication data holding portion 1500 for holding da- 
ta prepared by encrypting public encryption key KPp(1 ), 
which is set uniquely to each class of the cellular phone, 
into the fomi decodable with authentication key KPma. ^5 
[0068] Cellular phone 1 00 further includes a Kp hold- 
ing portion 1502 for holding private decryption key Kp 
(n) (n = 1) unique to the cellular phone (content repro- 
ducing circuit), a decryption processing portion 1504 for 
decrypting the data received from data bus BS2 with pri- so 
vate decryption key Kp(1) to obtain session key Ks3 
generated by the memory card, a session key generat- 
ing portion 1508 for generating session key Ks4, e.g., 
based on a random number for encrypting the data to 
be transmitted via data bus BS2 between cellular phone ss 
100 and memory card 110 in the reproduction session 
for reproducing the content data stored In memory card 
110, an encryption processing portion 1506 for encrypt- 



ing session key Ks4thus produced with session key Ks3 
obtained by decryption processing portion 1504, and 
outputting the encrypted key onto data bus BS2. and a 
decryption processing portion 1510 for decrypting the 
data on data bus BS2 with session key Ks4 to output 
data {Kc//AC2}Kcom. 

[0069] Cellular phone 100 further Includes a Kcom 
holding portion 1 51 2 for holding secret key Kcom unique 

to the content reproducing circuit, a decryption process- 
ing portion 151 4 for decrypting data {Kc//AC2)Kcom out- 
put from decryption processing portion 1 51 0 with secret 
key Kcom, and outputting Ibense key Kc and reproduc- 
tion circuit restriction Information ACS, a decryption 
processing portion 1 51 6 for receiving encrypted content 
data {Data}Kc from data bus BS2, and decrypting it with 
license key Kc obtained from decryption processing por- 
tion 1 514 to output the content data, a music reproduc- 
ing portion 1518 for receiving the output of decryption 
processing portion 1516 and reproducing the content 
data, a selector portion 1525 for receiving the outputs 
of music reproducing portion 151 8 and voice reproduc- 
ing portion 1112, and selectively outputting them de- 
pending on the operation mode, and a connection ter- 
minal 1530 for receiving the output of selector portion 
1525 and allowing connection of head phones 130. 
[0070] Reproduction circuit restriction infomriation 
AC2 output from decryption processing portion 1514 is 
applied to controller 1106 via data bus BS2. 
[0071] Fig. 4 shows only some of blocks forming the 
cellular phone for the sake of simplicity, and particularly 
shows only blocks relating to the distribution and repro- 
duction of music data according to the invention. Some 
of blocks related to an original conversation function of 
the cellular phone are not shown. 

[Structure of Memory Card 110] 

[0072] Fig. 5 is a schematic block diagram showing a 
structure of memory card 110 shown in Fig. 4. 
[0073] As already described, public encryption key 
KPm(i) and corresponding private decryption key Km(i) 
have values unique to each memory card. In the follow- 
ing description, it Is assumed that natural number i is 
equal to one in memory card 110. Further, keys KPmc 
(n) and Kmc(n) are employed as public encryption key 
and private decryption key unique to the kind (class) of 
the memory card, respectively. It Is also assumed that 
natural number n is equal to one In memory card 110. 
[0074] Memory card 110 includes an authentication 
data holding portion 1400 for holding {KPmc(1))KPma 
as the authentication data, a Kmc holding portion 1402 
for holding decryption key Kmc(1) unique to each kind 
of the memory card, a Km(1) holding portion 1421 for 
holding private decryption key Km(1 ) set unique to each 
memory card, and a KPm(1) holding portion 1416 for 
holding private encryption key KPm(1) allowing decryp- 
tion of the data encrypted with private decryption key 
Km(1). Authentication data holding portion 1400 holds 



25 



30 



35 



40 



45 



50 



13 



EP 1 237 323 A1 



14 



public encryption key KPmc(1), which is set uniquely to 
the kind (class) of memory card, in an encrypted fomn, 
which can be decrypted with authentication key KPma. 
[0075] Memory card 110 further includes a data bus 
BS3 for transmitting signals to and from memory inter- 
face 1200 via a terminal 1202, a decryption processing 
portion 1 404 for receiving the data, which is applied onto 
data bus BS3 from memory Interface 1200, and private 
decryption key Kmc(1) unique to the kind of memory 
card sent from Kmc(1) holding portion 1402, and out- 
putting session key Ksl , which is produced by distribu- 
tion server 30 in the distribution session, or session key 
Ks3, which is produced by another memory card In the 
transfer session, to contact Pa, a decryption processing 
portion 1 408 for receiving authentication key KPma from 
a KPma holding portion 1414, and performing decryp- 
tion on the data applied from data bus BS3 with authen- 
tication key KPma to apply results of the decryption to 
a controller 1420 and decryption processing portion 
1410 via data bus BS4, and an encryption processing 
portion 1 406 for encrypting data, which is selectively ap- 
plied by a select switch 1444, with the key selectively 
applied by a select switch 1442, and outputttng the en- 
crypted data onto data bus BS3. 
[0076] Memory card 110 further includes a session 
key generating portion 1418 for generating session key 
Ks2 or Ks3 in each of distribution, reproduction and 
transfer sessions, an encryption processing portion 
1410 for encrypting session key Ks3 generated from 
session key generating portion 1 41 8 with public encryp- 
tion key KPp(n) or KPmc(n) obtained by decryption 
processing portion 1 408, and outputting the key thus en- 
crypted onto data bus BS3, and a decryption processing 
portion 1412 for receiving the data encrypted with ses- 
sion key Ks2 or Ks3 from data bus BS3, and decrypting 
It with session key Ks2 or Ks3 obtained from session 
key generating portion 1418 to send results of the de- 
cryption onto data bus BS4. 
[0077] Cellular phone 1 1 0 further includes an encryp- 
tion processing portion 1424 for encrypting the data on 
data bus BS4 with public encryption key KPm(i) 
for another memory card in the transfer session (sender 
side), a decryption processing portion 1 422 for decrypt- 
ing the data on data bus BS4 with private decryption key 
Km(1 ), which is unique to memory card 1 1 0 and is paired 
with public encryption key KPm(1 ), and a memory 1 41 5 
for receiving and storing the reproduction infonnation (li- 
cense key Kc, content ID, license ID, access restriction 
information AC1 and reproducing circuit restriction in- 
fonnation AC2), which is encrypted with pubPic encryp- 
tion key KPm(1) and is sent from data bus BS4, and for 
receiving and storing encrypted content data {Data}Kc 
and additional Infonnation, Data-inf sent from data bus 
BS3. 

[0078] Memory card 1 1 0 further includes a license in- 
fonnation holding portion 1440 for holding the license 
ID, content ID and access restriction Infonnation AC1 
obtained by decryption processing portion 1422, and a 



controller 1 420 for externally transmitting data via data 
bus BS3, receiving the reproduction infonnation and 
others from data bus BS4 and controlling the operation 
of memory card 110. 

5 [0079] A region TRM surrounded by solid line in Fig. 
5 is arranged within a module TRM, which is configured 
to erase internal data or destroy internal circuits for dis- 
abling reading of data and others in the circuits within 
this region by a third party when an illegal or improper 

10 access to the inside of memory card 110 Is externally 
attempted. This module is generally referred to as a 
"tamper resistant module". 

[0080] Naturally, memory 1 41 5 may be located within 
module TRM. According to the structure shown In Fig. 

^5 5, however, the data held in memory 1 41 5 is entirely en- 
crypted so that a third party cannot reproduce the music 
from the content data using only the data in memory 
141 5, and further. It is not necessary to located memory 
1415 within the expensive tamper resistance module. 

20 Therefore, the stojcture in Fig. 5 can reduce a manufac- 
turing cost. 

[Reproducing Operation] 



[0081 ] Description will now be given on the reproduc- 
ing operation (which will be referred to as the "reproduc- 
tion session" hereinafter), In which music Is reproduced 

30 from the encrypted content data held in memory card 
110, and is externally output. 
[0082] Fig. 6 is a flowchart representing various oper- 
ations In Initialization processing, which may also be re- 
ferred to as "reproduction initialization session", for per- 

35 forming a part of mutual authentication processing be- 
tween cellular phone 1 00 and memory card 110. 
[0083] In such a case that (i) the power of cellular 
phone 100, to which memory card 110 Is already at- 
tached, is turned on, (ii) when memory card 110 is in- 

40 sorted into cellular phone 1 00, of which power is already 
on, or (Hi) a new session key is produced in the distribu- 
tion session, transfer session or the iike, processing in 
the reproduction initialization session Is collectively per- 
fomned as will be described later, and a part of the mu- 

45 tual authentication processing between cellular phone 
100 and memory card 110 Is commonly utilized by the 
plurality of operations of the reproduction processing. 
Thereby, each reproducing operation can be performed 
rapidly. 

50 [0084] Refemng to Fig. 6, when the reproduction ini- 
tialization session starts in accordance with the forego- 
ing timing under the control of controller 1 1 06 of cellular 
phone 100 (step S200), cellular phone 1 00 operates to 
output authenttoation data {KPp(1 ))KPma, which can be 

55 decrypted with authentication key KPma, from authen- 
tication data holding portion 1500 onto data bus BS2 
(step S202). 

[0085] Authentication data {KPp(1 )}KPma is transmit- 
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ted to memory card 110 via data bus BS2 and memory 
interface 1200. 

[0086] In memory card 110, decryption processing 
portion 1408 takes in authentication data {KPp(1))KP- 
ma, which is transmitted onto data bus BS3 via terminal 
1202. Decryption processing portion 1408 receives au- 
thentication key KPma from a KPma holding portion 
1414, and decrypts the data sent from data bus BS3. If 
public encryption key KPp(1) encrypted with authenti- 
cation key KPma is regularly registered and is regularly 
encrypted, and thus if decryption can be perfomned with 
authentication key KPma, and the belonging data gen- 
erated by the decryption can be authenticated, the de- 
crypted public encryption key KPp(1) is accepted. If not, 
or if the belonging data generated by the decryption can- 
not be authenticated, the obtained data Is not accepted 
(step S243). 

[0087] When decryption processing portion 1408 ac- 
cepts the public encryption key KPp(1), which is unique 
to the content reproducing circuit in cellular phone 1 00, 
controller 1420 detemilnes that the public encryption 
key KPp(1) sent thereto Is the public encryption key as- 
signed to the content reproducing circuit authenticated 
in this data distribution system, and the processing 
moves to a next step S21 0 (step S206). If not accepted. 
It Is determined that invalid access is made by an unau- 
thorized device, and the processing ends (step S240). 
[0088] When public encryption key KPp(1) is accept- 
ed, controller 14201 nstmcts session key generating por- 
tion 141 8 via data bus BS4 to produce session key Ks3 
in the reproduction session. Session key Ks3 produced 
by session key generating portion 1418 Is sent to en- 
cryption processing portion 1410. Encryption process- 
ing portion 1410 encrypts session key Ks3 with public 
encryption key KPp(1) of cellular phone 100 obtained 
by decryption processing portion 1408, and outputs en- 
crypted data {Ks3}Kp(1 ) onto data bus BS3 (step S21 0). 
[0089] Cellular phone 100 receives encrypted data 
{Ks3}Kp(1) applied onto data bus BS via temriinal 102 
and interface 1200. Encrypted data {Ks3}Kp(1) is de- 
crypted by decryption processing portion 1 504, and ses- 
sion key Ks3 produced by memory card 1 1 0 is accepted 
(step S212). Thereby, reproduction initialization session 
ends (step S213). 

[0090] As described above, memory card 110 re- 
ceives the authentication data kept in the content repro- 
ducing circuit (cellular phone 100), which is a destination 
of the data output for the reproduction, and verifies that 
cellular phone 100 is a regular reproducing device. 
Thereafter, memory card ICQ sends session key Ks3 
unique to the session for establishing connection to the 
verified destination. Cellular phone 100 receiving ses- 
sion key Ks3 and memory card 110 sending the same 
hold and share session key Ks3 for subsequent repro- 
duction. 



(Reproduction Processing) 

[0091 ] Fig. 7 is a flowchart representing the reproduc- 
tion processing following the reproduction initialization 

5 session in Fig. 6, 

[0092] When user 1 applies an Instruction to produce 
the reproduction request via touch key unit 1108 or the 
like of cellular phone 100 (step S201), controller 110 of 
cellular phone 100 responds to this reproduction re- 

10 quest, and instructs session key generating portion 
1 508 via data bus BS2 to generate session key Ks4 pro- 
duced by cellular phone 1 00 In the reproduction session. 
Session key Ks4 thus produced Is sent to encryption 
processing portion 1506, and is encrypted with session 

15 key Ks3 obtained by decryption processing portion 1 504 
to produce encrypted key {Ks4}Ks3, which is output onto 
data bus BS2 (step S214). 

[0093] Encrypted session key {Ks4}Ks3 is transmitted 
to memory card 140 via memory interface 1200. In 

20 memory card 110, decryption processing portion 1412 
decrypts encrypted session key {Ks4}Ks3 transmitted 
onto data bus BS3, and session key Ks4 produced in 
cellular phone 100 Is accepted (step S216). 
[0094] In response to acceptance of session key Ks4, 

25 controller 1420 detennines access restriction informa- 
tion AC1 in license Infonnation holding portion 1440 
bearing the corresponding content ID (step S218). 
[0095] In step 8218. access restriction infonnation 
AC1 relating to restrictions on the memory access Is de- 

30 termined. If the reproduction is already impossible, the 
reproduction session ends (step S240). If the reproduc- 
tion is possible but the allowed times of reproduction are 
restricted, the operation moves to a next step after up- 
dating the data of access restriction infonnation AC 1 to 

35 update the allowed times of reproduction (step S220). 
If access restriction infonnation AC1 does not restrict 
the reproduction times, step S220 is skipped, and the 
processing moves to next step S222 without updating 
access restriction infomnation AC1. 

40 [0096] When the content ID corresponding to the re- 
quested song is not present in license infomnation hold- 
ing portion 1 440, it is likewise detemnlned that the repro- 
duction Is impossible, and the reproduction session 
ends (step 8240). 

45 [0097] When it Is detennined In step S21 8 that the re- 
production is allowed in the current reproduction ses- 
sion, decryption processing is perfomned for obtaining 
license key Kc of the reproduction-requested song re- 
corded in the memory as well as reproducing circuit re- 

50 strictlon infonnation AC2. More specifically, decryption 
processing portion 1454 operates in response to the in- 
struction of controller 1420 to decrypt encrypted data 
{{Kc//AC2}Kconn//license ID//content ID//AC1)Km(1). 
which Is read from memory 1415 onto data bus BS4, 

55 with private decryption key Km(1) unique to memory 
card 110. Thereby, encrypted data {Kc//AC2}Kcom de- 
codable with secret key Kcom is obtained (step S222). 
[0098] Encrypted data {Kc//AC2}Kcom thus obtained 
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is sent to encryption processing portion 1 406 via a con- 
tact Pd of select switch 1444. Encryption processing 
portion 1406 further encrypts encrypted data {Kc//AC2} 
Kcom received from data bus BS4 with session key Ks4, 
which is received from decryption processing portion 
1412 via contact Pb of select switch 1442, and outputs 
{{Kc//AC2}Kcom}Ks4 onto data bus 6S3 (step S224). 
[0099] The encrypted data output onto data bus 6S3 
is sent to cellular phone 1 00 via memory interface 1 200. 
[0100] in cellular phone 100, decryption processing 
portion 1510 decrypts encrypted data {{Kc//AC2)Kcom} 
Ks4 transmitted onto data bus BS2 via memory Interface 
1200, and accepts data {Kc//AC2}Kcom, i.e., encrypted 
license key Kc and reproduction circuit restriction infor- 
mation AC2 (step S226). Decryption processing portion 
1514 decrypts encrypted data {Kc//AC2}Kcom with se- 
cret key Kcom, which is received from Kcom holding 
portion 1512 and is symmetric to the content reproduc- 
ing circuit, and accepts license key Kc and reproducing 
circuit restriction infonnation AC2 (step S228). Decryp- 
tion processing portion 1 51 4 transmits license key Kc to 
decryption processing portion 1516, and outputs repro- 
ducing circuit restriction infomfiatlon AC2 onto data bus 
BS2. 

[0101] Controller 11 06 accepts reproducing circuit re- 
striction information AC2 via data bus BS2, and deter- 
mines the reproducibility (step S230). 
[01 02] When it is detenmlned from reproducing circuit 
restriction infonnation AC2 in step S230 that the repro- 
duction is impossible, the reproduction session ends 
(step S240). 

[0103] If the reproduction is possible, encrypted con- 
tent data {Data}Kc of the requested song recorded in 
the memory of memory card 1 1 0 is output onto data bus 
BS3, and is transmitted to cellular phone 1 00 via mem- 
ory Interface 1200 (step S232). 
[0104] in cellular phone 100, decryption processing 
portion 151 6 decrypts encrypted content data {Data}Kc, 
which Is output from memory card 1 1 0 and is transmitted 
onto data bus BS2, with license key Kc so that content 
data Data in plain text can be obtained (step S234). 
From decrypted content data Data in plain text, music 
reproducing portion 151 8 reproduces music, and the re- 
produced music is externally output via switching por- 
tion 1525 and temnlnal 1530 so that the processing ends 
(step S240). 

[0105] As described above, the reproduction initiali- 
zation session is separated from the reproduction ses- 
sion, and is commonly utilized by the plurality of songs 
or tunes so that the music can be quickly started in re- 
sponse to the reproduction request of the user. 
[01 06] Further, session key Ks4 is generated for every 
reproduction, and Is used for encryption for sending li- 
cense key Kc from memory card 110 to the content re- 
producing circuit (cellular phone 100). Therefore, the 
same song can be repeated without passing the same 
data through memory interface 1200. Thereby, the level 
of security does not lower, as compared with the case 
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where the reproduction initialization session Is not sep- 
arated, and is performed at the start of the every repro- 
duction processing. 

[01 07] In the reproduction session, a series of opera- 
5 tions starting from the predetermined initialization ses- 
sion are perfomaed such that the encryption keys pro- 
duced by the cellular phone and the memory card are 
mutually transmitted, and each of them executes the en- 
cryption with the received encryption key, and sends the 
encrypted data to the other party. As a result, mutual 
authentication can be perfonned in the operations of 
sending and receiving the encrypted data in the distri- 
bution session, and the security can be ensured in the 
data distribution system. 

[Distributing Operation] 

[0108] Operations in the respective sessions of the 
data distribution system according to the embodiment 
of the invention will now be described in greater detail 
with reference to flowcharts. 
[0109] Figs. 8, 9 and 10 are first, second and third 
flowcharts representing a distributing operation, which 
will also be referred to as a "distribution session" here- 
inafter, and is perfonned when purchasing the contents 
in the data distribution system according to the first em- 
bodiment, respectively. 

[01 1 0] Figs. 8 to 1 0 represent an operation perfomfied 
when user 1 using memory card 110 receives the con- 
tent data-distributed from distribution server 30 via cel- 
lular phone 100. 

[0111] First, user 1 requests distribution cellular 
phone 1 00 of user 1 , e.g., by operating keys or buttons 
on touch key unit 1108 (step SI 00). 
[0112] In memory card 110, authentication data hold- 
ing portion 1400 outputs authentication data {KPmc(n)} 
KPma in response to this request (step SI 02). 
[01 1 3] Cellular phone 1 00 sends authentication data 
{KPmc{1)}KPma accepted from memory card 110 as 
well as authentication data {KPp(1))Kpma of cellular 
phone 1 00 Itself, the content ID for designating the con- 
tent data to be distributed and data AC of the Ibense 
purchase conditions to distribution server 30 (step 
SI 04). 

[01 14] Distribution server 30 receives the content ID, 
authentication data {KPmc(1)}KPma and {KPp(1)}KP- 
ma, and license purchase condition data AC (step 
SI 06), and perfonns the decryption with authentication 
key KPma by decryption processing portion 312. If pub- 
lic encryption keys KPp(1 ) and KPmc(1 ) encrypted with 
authentication key KPma are registered regularly, and 
are encrypted regulariy, public encryption key KPmc(1) 
of memory card 110 and pubib encryption key KPp(1) 
of cellular phone 1 00 are accepted. If these are not reg- 
istered regulariy, such unregistered public encryption 
keys KPp(1 ) and KPmc(1 ) are not accepted (step SI 08). 
[0115] Distribution control portion 315 makes an in- 
quiry to authentication server 1 2 based on accepted pri- 
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vate encryption keys KPmc(1) and KPp(1) (step S110). 
If these public encryption keys were accepted in step 
SI 08, and were regularly registered, these keys are de- 
tenmined as valid keys, and the processing moves to a 
next step (step S112). If the public encryption keys were 
not accepted, or if the public encryption keys were ac- 
cepted but were not registered, these keys are deter- 
mined as Invalid keys, and the processing ends (step 
S170). 

[0116] For authenticating public encryption key KPp 
(1) or KPmc(1) in the decryption processing performed 
with authentication key KPma, such a structure may be 
employed that a certificate, whtoh is encrypted into a 
fomri decodable with authentication key Kpma, Is sent 
to distribution server 30 together with each public en- 
cryption key KPp(1) or KPmc(1). 
[0117] Since authentication data {KPmc(1)}KPma 
and {KPp(1)}KPma are encrypted Into fomns, which al- 
low authentication by decrypting them with authentica- 
tion key KPma, such a structure may be employed that 
distribution control portion 315 in license server 10 per- 
fonns the authentication in Its own manner in accord- 
ance with results obtained by decryption with authenti- 
cation key KPma, without sending an inquiry to authen- 
tication server 1 2. 

[0118] When it is determined from the Inquiry that the 
keys are valid, distribution control portion 315 produces 
the transaction ID for specifying the distribution session 
(steps 11 2). 

[0119] Then, session key generating portion 316 pro- 
duces session key Ksl for distribution. Session key Ksl 
is encrypted by encryption processing portion 318 with 
public encryption key KPmc(1) corresponding to mem- 
ory card 1 1 0 and obtained by decryption processing por- 
tion 312 (step S 11 4). 

[0120] The transaction ID and encrypted session key 
{Ks1}Kmc(1) are externally output via data bus BS1 and 
communication device 350 (step S1 16). 
[01 21 ] When cellular phone 1 00 receives the transac- 
tion ID and encrypted session key {Ksl)Kmc(l) (step 
S1 18), memory card 110 operates to decrypt the re- 
ceived data applied onto data bus BS3 by decryption 
processing portion 1404 with private decryption key 
Kmc(1), which is held in holding portion 1402 and is 
unique to memory card 110, and thereby to extract de- 
crypted session key Ksl (step SI 20). 
[0122] When controller 1 420 confinrns the acceptance 
of session key Ks1 produced by distribution server 30, 
it instructs session key generating portion 1418 to pro- 
duce session key Ks2, which Is to be produced during 
the distribution session in memory card 110. In the dis- 
tribution session, session key generating portion 1418 
of memory card 110 generates a new session key so 
that session key Ks3 held in the reproduction initializa- 
tion session is rewritten into session key Ks2. 
[0123] Encryption processing portion 1406 encrypts 
session key Ks2 and public encryption key KPm(1), 
which are applied via a contact Pc of select switch 1 44 



by switching a contact of a select switch 1 446, with ses- 
sion key Ksl applied via contact Pa of select switch 
1 442 from decryption processing portion 1 404, and out- 
puts data {Ks2//KPm(1)}Ks1 onto data bus BS3 (step 

5 S122). 

[0124] Data {Ks2//KPm(1))Ks1 output onto data bus 
BS3 is sent from data bus BS3 to cellular phone 1 00 via 
terminal 1202 and memory Interface 1200, and Is sent 
from cellular phone 100 to distribution server 30 (step 
10 S124). 

[01 25] Distribution server 30 receives encrypted data 
{Ks2//KPm(1 )}Ks1 , and decrypts it with session key Ksl 
by decryption processing portion 320 to accept session 
key Ks2 produced in memory card and public encryption 

IS key KPm(1) unique to memory card 110 (step S126). 
[0126] Further, distribution control portion 316 pro- 
duces the license ID, access restriction information AC1 
and reproducing circuit restriction information AC2 In ac- 
cordance with the content ID and license purchase con- 

20 ditlon data AC obtained in step S1 06 (step S1 30). Fur- 
ther, license key Kc for decrypting the encrypted content 
data is obtained from information database 304 (step 
SI 32). 

[0127] Refemng to Fig. 9, distribution control portion 
25 315 applies license key Kc and reproducing circuit re- 
strictlon-infonnatlon AC2 thus obtained to encryption 
processing portion 324. Encryption processing portion 
324 uses secret key Kcom, which is obtained from Kcom 
holding portion 322 and is symmetric to the content re- 
30 production circuit, as an encryption key, and encrypts 
license key Kc and reproducing circuit restriction infor- 
mation AC2 (step SI 34). 

[0128] Encrypted data {Kc//AC2}Kcom output from 
encryption processing portion 324 as well as the license 

55 ID, content ID and access restriction information AC1 
output from distribution control portion 315 are encrypt- 
ed by encryption processing portion 326 with public en- 
cryption key KPm(1), which is obtained by decryption 
processing portion 320 and is unique to memory card 

40 110 (Step S136). 

[0129] Encryption processing portion 328 receives 
the output of encryption processing portion 326, and en- 
crypts it with session key Ks2 produced in memory card 
110. Encrypted data {{{Kc//AC2)Kcom//Iicense ID//con- 

45 tent ID//AC1}Km(1)}Ks2 output from encryption 
processing poriion 328 is sent to cellular phone 1 00 via 
data bus BS1 and communication device 350 (step 
S138). 

[01 30] As described above, distribution server 30 and 
50 memory card 1 1 0 exchange the session keys produced 
thereby, and each execute the encryption with the re- 
ceived encryption key for sending the encrypted data to 
the other party. Thereby, mutual authentication can also 
be actually or practically performed when sending and 
55 receiving the encrypted data, and thereby the security 
level in the data distribution system can be Improved. 
[0131] Cellular phone 1 00 receives encrypted data {{ 
{Kc^/AC2}Kcom//lk:ense ID//content ID//AC1}Km(1)} 
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Ks2 sent thereto (step SI 40), and memory card 11 0 op- 
erates to decrypt the received data applied via memory 
interface 1200 onto data bus BS3 by decryption 
processing portion 1412. Thus, decryption processing 
portion 1412 decrypts the data received from data bus 
BS3 with session key Ks2 applied from session key gen- 
erating portion 1 41 8, and outputs the decrypted key on- 
to data bus BS4. 

[0132] In this stage, data bus BS4 is supplied with da- 
ta {{Kc//AC2}Kcom//license ID//content ID//AC1}Km(1), 
which can be decrypted with private decryption key Km 
(1) held In Km(1) holding portion 1421. This data {{Kc// 
AC2)Kcom//llcense ID//content ID//AC1}Km(1) is re- 
corded in memory 1415 (step S144). 
[0133] Further, decryption processing portion 1422 
perfonns the decryption with private decryption key Km 
(1) unique to memory card 112 so that license ID, con- 
tent I D and access control Inf onnation AC1 are recorded 
In license information holding portion 1440 via data bus 
BS4(stepS148). 

[0134] Further, license ID, content ID and access re- 
striction infomiation AC1 are recorded in license infor- 
mation holding portion 1440 (step SI 50). 
[0135] When the processing in and before step S150 
is nomrially completed, cellular phone 100 sends a dis- 
tribution request for thecontent data to distribution serv- 
er 30 (step SI 52). 

[0136] When distribution server 30 receives the dis- 
tribution request for the content data, it obtains encrypt- 
ed content data {Data}Kc and additional data Data-inf 
from infomiation database 304, and outputs the data 
thus obtained via data bus BS1 and communication de- 
vice 350 (step SI 54). 

[0137] Cellular phone 100 receives {Data)Kc//Data- 
Inf, and accepts encrypted content data {DataJKc and 
additional information Data-inf (step SI 56). Encrypted 
content data {Data}Kc and additional Infonmation Data- 
inf are transmitted onto data bus BS3 of memory card 
110 via memory interface 1200 and terminal 1202. In 
memory card 110, encrypted content data {Data)Kc and 
additional infomnation Data-inf thus received are record- 
ed in memory 1415 as they are (step S158). 
[01 38] Memory card 1 1 0 sends a notification of distri- 
bution acceptance to distribution server 30 (step SI 60). 
When distribution server 30 receives the distribution ac- 
ceptance (step S 1 62), storage of accounting data in ac- 
counting database 302 and other processing for ending 
the distribution are executed (step SI 64) so that the 
whole processing ends (step SI 70). 
[01 39] Cellular phone 1 00 starts the reproduction ini- 
tialization session in the reproduction processing. 
Processing after this start is the same as that in the re- 
production Initial ization session shown in Fig. 6. Steps 
S1 72, S1 76, SI 74, SI 78 and SI 80 correspond to steps 
S202, S204, S206, S208 and S210, respectively. 
[0140] As described above, cellular phone 1 00 in the 
distribution session operates in such a manner that the 
reproduction initialization session is executed for the re- 



production immediately after the completion of record- 
ing of the distributed content data, and thereby the re- 
production initiaiization session Is ended before input of 
reproduction via touch key unit 1108, Thereby, the re- 
5 production of the content data and music can be started 
quickly In response to the reproduction request of the 
user, while keeping an intended security level. 
[01 41 ] Further, the content data can be distributed in 
response to the distribution request only after conf inning 
the validities of public encryption keys Kp(1) and Kmc 
(1 ), which are sent from the content reproducing portion 
of cellular phone 1 00 and memory card 1 1 0, respective- 
ly. Therefore, distribution to unauthorized devices can 
be inhibited. Further, encryption for sending and receiv- 
ing the data uses the key depending on the receiving 
side. Therefore, an intended securitylevel in the distri- 
bution is ensured. 

[Transfemng Operation] 

[0142] Description will now be given on the process- 
ing for transfemng the content data between the two 
memory cards. 

[0143] Figs. 11,12 and 13 are first, second and third 
flowcharts representing the transference of the content 
data, keys and others between two memory cards 110 
and 112 via cellular phones 100 and 102. 
[0144] In Figs. 10-12, the natural numbers n, whk^h 
represent the kinds of cellular phone 100 and memory 
card 102, respectively, are both equal to one. Also, the 
natural numbers n, which represent the kinds of cellular 
phone 1 02 and memory card 112, respectively, are both 
equal to two. Natural numbers i used for identifying 
memory cards 110 and 112 are equal to one and two (1 
= 1 and i = 2), respectively. 

[0145] In Figs. 10-12, cellular phone 100 and mem- 
ory card 1 1 0 are on the sending side, and cellular phone 
102 and memory card 112 are on the receiving side. 
Memory card 112 has substantially the same structure 
as memory card 110, and is attached to cellular phone 
102. In the following description, respective compo- 
nents and portions of memory card 112 bear the same 
reference numbers as those of memory card 110. 
[01 46] Ref emng to Fig. 1 0, user 1 on the sending side 
applies a content transfer request via cellular phone 1 00 
of user 1. e.g., by operating keys or buttons on touch 
key unit 1108 (step S300). 

[01 47] The transfer request thus produced Is transmit- 
ted to memory card 112 of user 2 on the receiving side 
via cellular phone 120. In memory card 112, authentica- 
tion data holding portion 1500 outputs authentication 
data {KPmc(2)}KPma including public encryption key 
KPmc(2) corresponding to memory card 112 (step 
S302). 

[01 48] Authentication data {KPmc(2)}KPma of mem- 
ory card 1 1 2 is sent from cellular phone 1 02 of user 2 to 
cellular phone 1 00 of user 1 , and is received by memory 
card 110 (step S304). 
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[0149] In memory card 110, decryption processing 
portion 1408 performs the decryption. If public encryp- 
tion key KPmc(2) encrypted with authentication key -Kp- 
ma is regularly registered and Is regularly encrypted, i. 
e., when the data can be decrypted with authentication 5 
key KPma, and the belonging data produced by the de- 
cryption can be authenticated, decrypted public encryp- 
tion key KPmc(2) is accepted as the public encryption 
key of memory card 112. If the decryption is impossible, 
or when the belonging data produced by the signal 
processing cannot be authenticated, the obtained data 
is not accepted (step S306). 
[0150] When decryption processing portion 1408 ac- 
cepts public encryption key KPmc(2) unique to the con- 
tents of memory card 112, controller 1420 determines 
that public encryption key KPmc(2) sent thereto is the 
public encryption key assigned to the memory card au- 
thentk:ated in this data distribution system, and the 
processing moves to a next step S312 (step S308). If 
not accepted, controller 1420 determines that invalid ac- 
cess is made by an unauthorized device, and ends the 
processing (step S360). 

[0151] When the authentication result is valid, control- 
ler 1420 Instructs session key generating portion 1418 
to output session key Ks3 generated on the sending side 
in the transfer session. On the receiving side in the 
transfer session, session key generating portion 1418 
of memory card 110 generated the new session key so 
that session key KsS held in the reproduction Initializa- 
tion session is rewritten into session key Ks2. Session 
key KsS produced by session key to generating portion 
1418 is transmitted to encryption processing portion 
1410. Encryption processing portion 1410 further re- 
ceives public encryption key KPmc(2) of memory card 
112, which is decrypted by decryption processing por- 
tion 1408 in step S306, and encrypts session key Ks3 
with public encryption key KPmc(2). Thereby, encrypted 
session key {Ks3}Kmc(2) is output onto data bus BS3 
(step S314). 

[0152] Encrypted session key {Ks3}Kmc(2) is trans- 
mitted to memory card 1 12 via memory interface 1200, 
cellular phone 100 and cellular phone 102. 
[0153] Memory card 112 receives encrypted key 
{Ks3)Kmc(2) sent from memory card 110, and decrypts 
it by decryption processing portion 1 404 with private de- 
cryption key Kmc(2) co responding to memory card 1 1 2 
to accept session key KsS produced by memory card 
110 on the sending side (step SSI 6). 
[0154] In response to acceptance of session key Ks3, 
controller 1420 of memory card 112 instructs session 
key generating portion 1418 to produce session key 
Ks2, which is to be generated on the receiving side in 
the transfer session . On the receiving side in the transfer 
session, session key generating portion 1418 of mem- 
ory card 1 1 0 generated the new session key so that ses- 
sion key Ks3 held in the reproduction initialization ses- 
sion is rewritten into session key Ks2. Session key Ks2 
produced thereby is transmitted to encryption process- 



ing portion 1406 via a contact Pf in select switch 1446 
and a contact Pc in select switch 1444. 
[0155] Encryption processing portion 1406 receives 
session key KsS obtained by decryption processing por- 
tion 1404 in step S316, and encrypts session key Ks2 
and public encryption key KPm(2), which are obtained 
via contact Pc in select switch 1 444 by appropriately se- 
lecting contacts R and Pe in select switch 1446, with 
session key Ksl, and outputs {Ks2//KPm(2)}Ks3 onto 
data bus BS3 (step SSI 8). 

[01 56] Encrypted data {Ks2//KPm(2) output onto data 
bus BS3 is transmitted onto data bus BS3 of memory 
card 110 via cellular phones 102 and 100. 
[01 57] In memory card 1 1 0, coding processing portion 
1 41 2 decrypts the encrypted data transmitted onto data 
bus BS3 with session key KsS, and accepts session key 
Ks2 and public encryption key KPm(2) related to mem- 
ory card 112 (step S320). 

[01 58] In accordance with the acceptance of session 
key Ks2 and public encryption key KPm(2), controller 
1 420 in memory card 1 1 0 detemnines the access restric- 
tion information AG1 in license infonnation holding por- 
tion 1440 (step S322). When it is detennined from ac- 
cess control infonnation AC1 that transfer of license is 
impossible, the transfer is stopped at this stage (step 
S360). 

[0159] When it is determined from access restriction 
information AC1 that the transfer session is allowed, the 
processing moves to next step S322, and controller 
1420 obtains the corresponding content ID and license 
ID from license information holding portion 1440, up- 
dates the access control infomnation in license infonna- 
tion holding portion 1440, and records the inhibition of 
subsequent reproduction and transfer (step S324). In 
response to this, access control information AC1 is de- 
temriined in each of the reproduction session and the 
transfer session, and processing is perfomned to inhibit 
the subsequent reproduction session and the subse- 
quent transfer session. 

[0160] Controller 1420 instructs memory 1415 to out- 
put encrypted data {{Kc//AG2}Kcom//license ID//content 
ID//AC1 }Km(1 ) relating to session key Kc and reproduc- 
tion infomnation conresponding to the content to be 
transferred. Encrypted data {{Kc//AC2}Kcom//license 
ID//content ID//AC1]Km(1) output from memory 1415 is 
decrypted so that {Kc//Ac2}Kcom is obtained on data 
bus BS4 (step SS26). 

[0161] The license ID, content ID and access restric- 
tion information AC1 , which are obtained from license 
information holding portion 1440 in step SS24, and {Kc// 
Ac2}Kcom obtained in step S326 are taken into encryp- 
tion processing portion 1424 via data bus BS4, and is 
encrypted. Encryption processing portion 1 424 encrypts 
these received data with public encryption key KPm(2), 
which is obtained by decryption processing portion 1 41 2 
in step S320, and is unique to memory card 112. to pro- 
duce {{Kc//AG2)Kcom//license ID//content ID//AC1)Km 
(2) (step S328). 
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[0162] Encrypted data {{Kc//AC2}Kcom//license ID// 
content lD//AC1}Km(2), which is output onto data bus 
BS4, is transnfiitted to encryption processing portion 
1406 via contact Pd of select switch 1444. Encryption 
processing portion 1406 receives session Icey Ks2. 
which was prepared by memory card 112 and is ob- 
tained by decryption processing portion 1412, via con- 
tact Pb of select switch 1442, and encrypts the data re- 
ceived from contact Pd with session key Ks2. 
[0163] Encryption processing portion 1406 outputs 
data {{{Kc//AC2)Kcom//license ID//content ID//AC1)Km 
(2)}Ks2 onto data bus BS3 (step S330). In step S330, 
the encrypted data output onto data bus BS3 is trans- 
mitted to memory card 112, which Is on the receiving 
side In the transfer session, via cellular phones 1 00 and 
102. 

[0164] In memory card 112, decryption processing 
portion 1412 performs the decryption with session Icey 
Ks2 produced by session l<ey generating portion 1418, 
and accepts {{{Kc//AC2)Kcom//license ID//content ID// 
AC1)Km{2) (step S332). 

[0165] Data {{Kc//AC2}Kcom//license ID//content ID// 
AC1}Km(2) thus accepted is recorded while Iceeping a 
form encrypted with public encryption key KPm(2) (step 
S334). 

[0166] Further, decryption processing portion 1422 
perfonns decryption with private decryption icey Km(2) 
unique to memory card 112 so that license ID, content 
ID and access restriction information AC1 are accepted 

(step S336). 

[0167] The license ID, content ID and access restric- 
tion information AC1 thus accepted are recorded In li- 
cense information holding portion 1440 (step S338). 
[0168] When the processing In and before steps 338 
are normally completed in the foregoing manner, a re- 
quest for duplication of the content data Is further issued 
via cellular phone 1 02 in response to the transfer of the 
encrypted data of license key Kc and the distribution in- 
fonnation (step S340). 

[0169] The request for duplication of the content data 
is transmitted to memory card 110 via cellular phone 
100. In response to this, con-esponding encrypted con- 
tent data {Data}Kc and additional information Data-inf 
are output from memory 1 41 5 in memory card 1 1 0 onto 
data bus BS3 (step S342). These data output onto data 
bus BS3 are transmitted to memory card 112 via mem- 
ory interface 1200, cellular phone 100 and cellular 
phone 102, and are recorded in memory 1415 In mem- 
ory card 112 (step S344). 

[0170] When recording of encrypted content data 
{Data)Kc and additional infonnation Data-inf is complet- 
ed, transfer acceptance is sent via cellular phone 102 
(step S346). 

[0171] When memory card 112 and corresponding 
cellular phone 102 normally execute the reproduction 
session in response to the above transfer acceptance, 
the user can listen to music via cellular phone 1 02 based 
on the content data recorded in memory card 112. 



[0172] Cellular phone 100 on the sending side re- 
ceives the transfer acceptance sent from cellular phone 
102 (step S348), and receives an instruction from the 
user via touch key unit 1108 to either erase or hold the 

5 content data (step S350). 

[01 73] When erasing of the content data is instructed 
via touch key unit 1108, conresponding encrypted con- 
tent data {Data}Kc and additional information Data-inf 
are erased in memory 1415 within memory card 110 

10 (step S354). When holding of the content data Is In- 
structed, step S354 Is skipped, and the transfer process- 
ing ends in this stage (step S356). 
[0174] After the transfer session was nonnally per- 
fomned and transfer processing ending step S356 is per- 

15 formed, or when processing Is skipped after step S308 
or S322 because the transfer session is stopped as a 
result of authentication or the like, the processing moves 
to a next step S358. 

[0175] The reproduction information such as corre- 
20 spending content ID recorded in license Information 
holding portion 1440 is in the same state as the erasing 
because access control information AC1 was updated 
in step S324 to inhibit the reproduction session and the 
transfer session. When the bank storing the reproduc- 
es tion Information in this state receives new reproduction 
infomnation distributed or transferred thereto for new 
content data, overwriting is allowed. Therefore, similar 
effects can be achieved by erasing all the data in this 
bank. 

30 [0176] In the state where the encrypted content data 
is already recorded in memory 1 41 5, the encrypted con- 
tent data can be reproduced for listening to the music 
only by accessing distribution server 30 and receiving 
the distributed reproduction Infonnation. The process- 
es ing of distributing only the reproduction information is 
not represented in the flowcharts. However, this 
processing is substantially the same as the processing 
in the distribution session shown in Figs. 9 and 1 0 ex- 
cept for that the steps SI 52, SI 54, SI 56 and SI 58 re- 
40 lating to the sending and receiving of the encrypted con- 
tent data are not performed, and therefore description 
thereof is not repeated. 

[0177] When transfer processing ends in step S356, 
cellular phone 100 outputs data [KPp(1)]KPma for au- 
45 thentication to memory card 110 (step S358). 

[0178] Memory card 110 receives data [KPp{1)]KPma 
from cellular phone 1 00, and decryption processing por- 
tion 1408 decrypts it with key KPma so that key KPp(1) 
is accepted (step S360). 
50 [01 79] In memory card 110, controller 1 420 authenti- 
cates cellular phone 1 00 based on key KPp(1) thus ac- 
cepted (step S362). 

[0180] When the transfer ending processing is per- 
formed in step S356, cellular phone 100 starts the re- 
55 production initialization session between memory card 
110 and cellular phone 100. Subsequent steps S358, 
S360, S362, S364 and S366 correspond to steps S202, 
S204. S206, S208 and S210 In Fig. 6, respectively, so 
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that description thereof is not repeated. When cellular 
phone 100 completes reproduction initialization ses- 
sion, it ends the processing (step S390). 
[0181] When cellular phone 102 sends the transfer 
acceptance in step S346, cellular phone 102 starts the 3 
reproduction initialization session between memory 
card 110 and cellular phone 102. Subsequent steps 
S348, S350, S352, S354 and S356 correspond to steps 
S202, S204, S206, S208 and S210 in Fig. 6, respective- 
ly, so that description thereof Is not repeated. When cel- 
lular phone 102 completes reproduction initialization 
session, it ends the processing (step S390). 
[01^] As described above, cellular phone 1 00 on the 
sending side and cellular phone 102 on the receiving 
side in the transfer session operate in such a manner 
that the reproduction initialization session Is executed 
for the reproduction immediately after the completion of 
sending/receiving of the transfen^ed content data, and 
thereby the reproduction initialization session Is ended 
before instruction of reproduction via touch key unit 
1108 of each cellular phone. Thereby, the reproduction 
of the content data and music can be started quickly in 
response to the reproduction request of the user, while 
keeping an intended security level. 
[01 83] Further, memory card 1 1 0 on the sending side 
transfers the reproduction infomnatlon including the li- 
cense key in response to the transfer request only after 
conf inning the validity of public encryption key Kmc(2), 
which is sent from memory card 112 on the receiving 
side. Therefore, transfer to an unauthorized memroy 
card can be Inhibited. Further, encryption for sending 
and receiving the data uses the key depending on the 
receiving side. Therefore, an intended security level in 
the transfer session is ensured. 

[Second Embodiment] 

[01 84] A data distributio n system of a second embod- 
iment differs from the data distribution system of the first 
embodiment in the following points. Data {{Kc//AC2) 
KcomZ/license ID//content ID//AC1}Km(1) of the en- 
crypted Ik^ense key and others is prepared by encrypting 
the encrypted license key and others with public encryp- 
tion key Km(1 ) in the public key cryptosystem using en- 
cryption and encryption keys, which are asymmetrical 
to each other, and is distributed. The data thus distrib- 
uted is decrypted with key Km(1), and then is stored in 
memory 1415 after being encrypted again with a sym- 
metric key, i.e., private symmetric key K(i) unique to the 
memory card. 

[0185] Thus, the data distribution system of the sec- 
ond embodiment differs from that of the first embodi- 
ment in that memory card 114 is employed instead of 
memory card 1 1 0 employed in the data distribution sys- 
tem of the first embodiment and already described with 
reference to Fig. 5. 

[0186] Fig. 14 represents characteristics of data, in- 
fomiation and others used for communk:ation in the data 



distribution system of the second embodiment, and cor- 
responds to Fig. 2 representing the first embodiment. 
However, the characteristics in Fig. 14 differ from those 
in Fig. 2 only in that the symmetric key, i.e., private sym- 
metric key K(i) unique to the memory card is employed 
as already described, and therefore description thereof 
is not repeated. 

[0187] Fig. 15 Is a block diagram showing a structure 
of a memory card 114 of the second embodiment, and 
con-esponds to Fig. 5 showing the first embodiment. 
[0188] Refemng to Fig. 15, memory card 114 differs 
from memory card 1 1 0 of the first embodiment shown in 
Fig. 5 In that memory card 114 includes a K(1) holding 
portion 1450 for holding private symmetric key K(1) 
unique to the memory card, an encryption processing 
portion 1452 for encrypting the data on data bus BS4 
with private-symmetric key K{1), and a decryption 
processing portion 1454 for decrypting the data on data 
bus BS4 with private symmetric key K(1). 
[0189] Stmctures other than the above are substan- 
tially the same as those of memory card 1 1 0 of the first 
embodiment. The same portions bear the same refer- 
ence numbers, and description thereof is not repeated. 
[01 90] Figs. 16,17 and 1 8 are first, second and third 
flowcharts representing the distribution operation per- 
formed for purchasing contents in the data distribution 
system according to the second embodiment, and cor- 
respond to Figs. 8, 9 and 10 representing the first em- 
bodiment, respectively. 

[01 91 ] Figs. 16-19 represent the operations, in which 
user 1 uses memory card 114 for receiving the content 
data distributed from distribution server 30 via cellular 
phone 100. 

[0192] The processing represented in Figs. 16-18 dif- 
fers from the distribution processing using memory card 
110 in the following points. In step SI 44, memory card 
114 accept data {{Kc//AC2}Kcom//license ID//content 
ID//AC1 }Km(1 ), and decryption processing portion 1 422 
decrypts {{Kc//AC2}Kcom//license ID//content ID//AC1} 
Km(1) with private decryption key Km(1) In accordance 
with an instruction from controller 1 420 so that data {Kc// 
AC2}Kcom, license ID, content ID and access restriction 
Information AC1 are accepted (step SI 46'). The data 
{Kc//AC2}Kcom, license ID, content ID and access re- 
striction infonnation AC1 thus accepted are encrypted 
by encryption processing portion 1 452 with private sym- 
metric key K(1) unique to memory card 114, and {{Kc// 
AC2}Kcom//lk:ense ID//content ID//AC1}K(1) is record- 
ed in memory 1 41 5 outside theTRM region (step SI 48'). 
[0193] According to the above distribution process- 
ing, data {Kc//AC2)Kcom, license ID, content ID and ac- 
cess restriction information AC1 are decrypted with pri- 
vate decryption key Km(1) in step SI 46, and then are 
encrypted again with private symmetric key K(1 ) before 
recording in memory 1415 in step S 148, These man- 
ners are employed for the following reasons. 
[01 94] According to the public key cryptosystem using 
asymmetric keys, i.e., according to a combination of 
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public encryption key KPm(1) and private decryption 
key Km(1), a long time may be required for tlie decryp- 
tion processing. 

[01 95] Therefore, tlie data is encrypted again with pri- 
vate symmetric key K(1 ) , which is unique to the memory 
card, in the symmetric key cryptosystem allowing fast 
decryption. Thereby, decryption of license key Kc and 
reproduction restriction Infonnation AC1, which are in- 
fomnation required for the reproduction, can be per- 
fomied rapidly in the processing of reproducing the con- 
tent data con-esponding to the encrypted content data. 
[0196] Further, the key for data sending is different 
from the key for storing the data in the memory card. 
Such different keys improve the security level. 
[0197] The public key cryptosystem described above 
may be specifically a RAS cryptosystem (Rlvest- 
Shamir-Adieman cryptosystem), elliptic curve crypto- 
system or the like, and the symmetric key cryptosystem 
may be specifically a DES (Data Encryption Standard) 
cryptosystem or the like. 

[0198] Description has been given on the structure, in 
which the data encrypted based on keys KPm(1 )/Km(1 ) 
In the public key cryptosystem, which uses the encryp- 
tion and decryption keys asymmetric to each other, is 
re-encrypted with private symmetric key K(1 ) in the sym- 
metric key cryptosystem using the encryption and de- 
cryption keys, which are entirely symmetric to each oth- 
er. I-Iowever, another structure may be employed. For 
example, such a structure may be employed that license 
ID, content ID and access restriction infonnation AC1 , 
which are held in license infomnation holding portion 
1440 provided within the TRM region of memory card 
110, are neither re-encrypted nor stored in memory 
1 41 5, and data {Kc//AC2)Kcom are recorded in memory 
1415 after being re-encrypted with symmetric private 
key K(1). 

[0199] Operations other than the above are substan- 
tially the same as the distribution operations In the first 
embodiment. The same steps and operations bear the 
same reference numbers, and description thereof is not 
repeated. 

[0200] Fig. 19 is a flowchart representing operations 
of various portions in the reproduction session using 
memory card 114 In the second embodiment; 
[0201] According to memory card 114 in the second 
embodiment, It is assumed that the processing for the 
reproduction initialization session is performed similariy 
to memory card 110 In the first embodiment. 
[0202] The distribution processing using memory 
card 1 1 0 in the second embodiment differs from the dis- 
tribution processing using memory card 110 In the first 
embodiment in that processing in a step S222' shown 
In Fig. 19 Is performed such that encrypted data {{Kc// 
AC2)Kcom//license ID//content ID//AC1}K(1) read from 
memory 1415 onto data bus BS4 is decrypted by de- 
cryption processing portion 1454 with private key K(1) 
held in a K(1) holding portion 1451. 
[0203] Operations other than the above are substan- 



tially the same as the distribution operations in the first 
embodiment. The same steps and operations bear the 
same reference numbers, and description thereof is not 
repeated. 

5 

[Transfer Operation] 

[0204] Figs. 20, 21 and 22 are first, second and third 
flowcharts representing operations for transfer in the 
10 second embodiment, respectively 

[0205] The transfer operations of the memory card in 
the second embodiment are basically the same as those 
In the first embodiment. 

[0208] The operations for transfer between memory 

15 cards 11 4 and 1 1 6 In the second embodiment are differ- 
ent from the operations for transfer between memory 
cards 110 and 112 in steps S326', S334' and S336'. In 
step S326', controller 1420 instructs memory 1415 to 
output session key Kc corresponding to the contents to 

20 be transferred and encrypted data {{Kc//AC2)Kcom//li- 
cense !D//content ID//AC1}K(1) relating to the reproduc- 
tion information. Encrypted data {{Kc//AC2}Kcom//li- 
cense iD//content ID//AC1}K(1) output from memory 
1415 is decrypted by decryption processing portion 

25 1454 with private symmetric key K(1) to obtain {Kc// 
AC2}Kcom on data bus BS4. 
[0207] In step 8334', {{Kc//AC2}Kcom//license ID// 
content ID//AC1}Km(2) accepted in step S332 is de- 
crypted by decryption processing portion 1422 with pri- 

30 vate decryption key Km(2) unique to memory card 116 
so that {Kc//AC2}Kcom, license ID, content ID and ac- 
cess control infomnation AC1 are output onto data bus 
BS4. 

[0208] In step 8336', {Kc//AC2}Kcom, license ID, con- 
35 tent ID and access control Information AC1 output onto 
data bus BS4 In step 8334' are encrypted again by en- 
cryption processing portion 1452 with private symmetric 
key K(2), and then are recorded in memory 1 41 5 via da- 
ta bus BS4. 

40 [0209] Operations other than the above are substan- 
tially the same as the transfer operations in the first em- 
bodiment. The same steps and operations bear the 
same reference numbers, and description thereof Is not 
repeated. 

45 [0210] Owing to the above structure, the reproduction 
can be started more quickly, and the security of the con- 
tent data can be enhanced. 

[021 1 ] The processing In the first f omn differs from that 
in the second embodiment only in the processing within 

50 the memory card, and there is no difference in encryp- 
tion of the data outside the memory card between the 
first and second embodiments. The transfer operations 
can be perfonfned by employing any combination of 
those on the sending and receiving sides in the first and/ 

55 or second embodiments already described. 

[0212] Accordingly, memory cards 110 and 114 are 
compatible with each other. 
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31 

[Third Embodiment] 

[021 3] A data distribution system of the third embod- 
iment differs from that of the first embodiment in that the 
distribution server and the content reproducing circuit of 5 
the cellular phone do not perform the encryption and de- 
cryption processing with secret l<ey Kcom common to 
the content reproducing circuit. 
[0214] The data distribution system of the third em- 
bodiment differs from the data distribution system of the 
first embodiment already described with reference to 
Fig. 3 in that a license server 11 is employed instead of 
license server 1 0 In distribution server 30 provided In 
the data distribution system of the first embodiment. Fur- 
ther, the data distribution system of the third embodi- 
ment employs a cellular phone 103 instead of cellular 
phone 100 already described with reference to Fig. 4. 
[0215] Fig. 23 represents characteristics of data, in- 
fomiation and others used for communication in the data 
distribution system of the third embodiment, and con-e- 
sponds to Fig. 2 representing the first embodiment. The 
characteristics in Fig. 23 differ from those in Fig. 2 only 
in that secret l<ey Kcom is not employed, and therefore 
description thereof is not repeated. 
[0216] Fig. 24 is a schematic block diagram showing 
a structure of a license server 1 1 in the data distribution 
system according to the third embodiment. 
[0217] License server 11 differs from license server 
10 in that license server 11 employs neither Kcom hold- 
ing portion 322 for secret key Kcom common to the re- 
producing circuit nor encryption processing portion 324 
for performing encryption with secret key Kcom. In dis- 
tribution server 31 , license key Kc and reproducing cir- 
cuit control infonnation AC2 output from distribution 
control portion 31 5 are directly transmitted to encryption 
processing portion 326. Circuit structures and opera- 
tions other than the above are substantially the same as 
those of license server 1 0 shown in Fig. 3, and therefore, 
description thereof is not repeated. 
[0218] License server 11, authentication server 12 
and distribution carrier 20 may be collectively referred 
to as "distribution server 31". 
[0219] Fig. 25 is a schematic block diagram showing 
a structure of cellular phone 103 used in the data distri- 
bution system according to the third embodiment. 
[0220] Referring to Fig. 25, cellular phone 1 03 differs 
from cellular phone 1 00 in the first embodiment already 
described with reference to Fig. 4 in that cellular phone 
103 is not provided with Kcom holding portion 1512 for 
holding seecret key Kcom common to the reproducing 
circuit and decryption processing portion 1 51 4 using se- 
cret key Kcom. 

[0221] Since distribution server 31 does not perfonn 
the encryption with secret key Kcom, license key Kc can 
be obtained directly by decryption processing portion 
1510, which perfomns decryption with session key Ks4, 
so that license key Kc is directly applied to decryption 
processing portion 1510 according to cellular phone 



101. Circuit structures and operations other than the 
above are substantially the same as those of cellular 
phone 100, and therefore, description thereof is not re- 
peated. 

[0222] The memory card used in the data distribution 
system according to the third embodiment has the same 
structure as memory card 110 shown in Fig. 5, and 
therefore, description thereof is not repeated. 
[0223] By eliminating the encryption with secret key 
Kcom common to the reproducing circuit, a difference 
occurs in operations of each of the distribution session 
and reproduction session. This difference will now be 
described with reference to flowcharts. 
[0224] Figs, 26, 27 and 28 are first, second and third 
flowcharts showing distribution operations in the data 
distribution system according to the third embodiment, 
respectively. With reference to Figs, 26 - 28, description 
will now be given on only differences with respect to the 
distribution operations of the data distribution system of 
the first embodiment, which are already described with 
reference to the flowcharts of Figs. 8 to 10. 
[0225] Refemng to Figs. 26 - 28, processing in and 
before step SI 32 is the same as that in the flowchart of 
Fig. 9 already described. 

[0226] As already described with reference to Fig. 24, 
license key Kc and reproducing circuit control infomia- 
tion AC2 obtained in step S 1 32 are encrypted with public 
encryption key KPm(1 ) unique to memory card 1 1 0 with- 
out being encrypted with secret key Kcom. Therefore, 
step 8134 is eliminated. 

[0227] Subsequently to step SI 32, steps 136a - 
SI 48a are executed instead of steps SI 36 - SI 48, re- 
spectively. Steps 136a - S148a differ from respective 
steps SI 36 - SI 48 in that license key Kc and reproduc- 
ing circuit control information AC2 are handled in the 
form of Kc//AC2 without encryption, and the form of {Kc// 
AC2}Kcom handled in steps SI 36 - SI 48 is not used. 
The processing for encryption and decryption other than 
the above is substantially the same as that already de- 
scribed with reference to Fig. 9, and therefore, descrip- 
tion thereof is not repeated. 

[0228] Fig. 29 is a flowchart representing the repro- 
duction operations in the data distribution system ac- 
cording to the third embodiment, in the third embodi- 
ment, it is assumed that the reproduction initialization 
session is perfomried-similariy to the first embodiment. 
[0229] Refemng to Fig. 29, the reproduction opera- 
tions in the data distribution system according to the 
third embodiment differs from the reproduction opera- 
tions in the data distribution system according to the first 
embodiment shown in Fig. 6 in that steps S222a - S226a 
are executed instead of steps S222 - S226, respectively. 
Steps S222a - 226a differ from respective steps S222 - 
S226 in that license key Kc and reproducing circuit con- 
trol infonnation AC2 are handled in the fonm of Kc//AC2, 
and the form of {Kc//AC2)Kcom handled In steps S222 
- S226 is not used. The processing for encryption and 
decryption other than the above is substantially the 
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same as that already described with reference to Fig. 
1 0, and therefore, description thereof is not repeated. 
Since iicense key Kc and reproducing circuit restriction 
control AC2 are not encrypted with secret l<ey Kcom, but 
are encrypted with public encryption key Km(1) unique 
to memory card 110, step S228 is eliminated. Steps oth- 
er than the above are substantially the same as those 
shown in Fig. 10, and therefore, description thereof is 
not repeated. 

[0230] Figs. 30, 31 and 32 are first, second and third 
flowcharts representing the transfer operation in the 
third embodiment, respectively. 
[0231] The operations for transfer between cellular 
phones 103 and 105 having substantially the same 
structure are substantially the same as those in the first 
embodiment except for that license key Kc and repro- 
ducing circuit restriction infomiation AC2 are not en- 
crypted with secret key Kcom in the third embodiment. 
Thus, the operations in the third embodiment are sub- 
stantially the same as those in the first embodiment ex- 
cept for that steps S326a - S336a are employed instead 
of steps S326 - S336. Therefore, description thereof is 
not repeated. 

[0232] Owing to the above structure, the data distri- 
bution system, which can achieve effects similar to 
those of the data distribution system according to the 
first embodiment, can be achieved although the system 
does not use secret key Kcom, which is symmetric to 
the content reproducing circuit (cellular phone), for per- 
fonming the encryption in the license server and the de- 
cryption in the cellular phone. 
[0233] Likewise, the data distribution system in the 
second embodiment can be configured such that the 
distribution server and the cellular phone do not perfonn 
the encryption and decryption using secret key Kcom 
symmetric to the reproducing circuit. The reproducing 
device may be a device other than a cellular phone, and 
may be formed of a structure not receiving the distribu- 
tion. 

[0234] Although the present invention has been de- 
scribed and illustrated in detail, it is cleariy understood 
that the same is by way of illustration and example only 
and is not to be taken by way of limitation, the spirit and 
scope of the present invention being limited only by the 
temis of the appended claims. 



ducing device; 

a data reproducing portion for receiving the out- 
put of said data storing portion, and reproduc- 
ing said encrypted content data and 
5 a first control portion (1106) for controlling 

transmission between said data storing portion 
and said data reproducing portion, wherein 
said data producing portion includes: 

10 a first decryption processing portion (1 51 0, 

1514, 1516) for receiving said license key 
and said encrypted content data read from 
said data storing portion, and decrypts said 
encrypted content data with said license 

15 key to extract the content data, and 

an authentication key holding portion 
(1500) for encrypting authentication data 
with a public authentication key, and hold- 
ing the encrypted authentication data for 

20 outputting the encrypted authentication da- 

ta to said data storing portion; 

said data storing portion includes: 

25 a second decrypting portion (1 408) for de- 

crypting and extracting said authentication 
data encrypted by said public authentica- 
tion key and applied from said data repro- 
ducing portion, and 

30 a second control circuit (1 420) for perfomn- 

ing authentication processing based on 
said authentication data extracted by said 
second decryption processing portion; and 

35 said first control circuit controls said authenti- 

cation processing to be pertormed during a pre- 
determined period common to a plurality of re- 
producing operations of said encrypted content 
data. 

40 

2. The data reproducing device according to claim 1 , 
wherein 

said data storing portion Is a memory card re- 
45 movably attached to said data reproducing de- 

vice. 



Claims 

1 . A data reproducing device (1 00) for decrypting en- so 
crypted content data to reproduce content data, 
comprising: 

a data storing portion (110) for holding said en- 
crypted content data and a license key for de- 55 
crypting said encrypted content data, output- 
ting said license key in an encrypted fomi and 
being removably attached to said data repro- 



The data reproducing device according to claim 1 , 
wherein 

said predetermined period is a period deter- 
mined within an active period of said data re- 
producing device and after attachment of said 
data storing portion to said data producing por- 
tion. 

The data reproducing device according to claim 1 , 
wherein 
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said predetermined period is a period deter- 
mined after said reproducing device carrying 
said data storing portion becomes active. 

5. The data reproducing device according to claim 1 , s 
wherein 

said data reproducing portion further Includes: 

a session key generating portion (1 608) for io 
generating a session l^ey to be updated up- 
on every access to said data storing portion 
for obtaining said encrypted content data, 
and 

a first encryption processing portion (1 506) 
for encrypting said session key with a first 
encryption key into a fomi allowing decryp- 
tion by said data storing portion, and apply- 
ing the encrypted session key to said data 
storing portion; 20 

said data storing portion outputs said license 
key encrypted into a fonm decodable with a first 
decryption key, and further encrypted with said 
first session key; and 25 
said first decryption processing portion In- 
cludes: 

a second decryption processing portion 
(1510) for decrypting, with said session 30 
key, said license key encrypted into the 
form allowing decryption by said data stor- 
ing portion with said first decryption key, 
further encrypted with said first session key 
and received from said data storing por- 35 
tion, and 

a third decryption processing portion 
(151 4) for receiving the output of said sec- 
ond decryption processing portion, and de- 
crypting the received output with said first 40 
decryption key to extract said license key. 

6. The data reproducing device according to claim 5, 
wherein 

45 

said first decryption key is predetenmined with 
respect to said data reproducing device and 
said data storing portion. 

7. The data reproducing device according to claim 5. ^o 
wherein 

said first control circuit performs control to ap- 
ply said session key to said data storing portion 
during said predetennined period common to 55 
the plurality of reproducing operations of said 
encrypted content data. 



8. The data reproducing devtee according to claim 1 , 
wherein 

said data reproducing portion further Includes: 

a session key generating portion (1 508) for 
generating a session key to be updated up- 
on every access to said data storing portion 
for obtaining said encrypted content data, 
and 

a first encryption processing portion (1 606) 
for encrypting said session key with a first 
encryption key Into a form allowing decryp- 
tion by said data storing portion, and apply- 
ing the encrypted session key to said data 
storing portion; and 

said first decryption processing portion In- 
cludes a second decryption processing portion 
(1610) for decrypting, with said session key, 
said license key encrypted with said session 
key and received from said data storing portion. 

9. The data reproducing devk:e according to claim 8, 
wherein 

said first control circuit performs control to ap- 
ply said session key to said data storing portion 
during said predetemnined period common to 
the plurality of reproducing operations of said 
encrypted content data. 

10. The data reproducing device according to claim 7, 
wherein 

said predetemnined period is a period deter- 
mined within an active period of said data re- 
producing devbe and after attachment of said 
data storing portion to said data producing por- 
tion. 

11. The data reproducing devk;e according to claim 9, 
wherein 

said predetennined period is a period deter- 
mined within an active period of said data re- 
producing device and after attachment of said 
data storing portion to said data producing por- 
tion. 

12. The data reproducing devk:e according to claim 7, 
wherein 

said predetennined period is a period deter- 
mined after said reproducing device carrying 
said data storing portion becomes active. 

13. The data reproducing device according to claim 9, 
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wherein 



said predetermined period is a period deter- 
mined after said reproducing device carrying 
said data storing portion becomes active. 5 



10 



15 



20 



25 



30 



35 



40 



45 



50 



55 



20 



EP1 237 323A1 



FIG.1 




USER2 USER1 



21 



EP 1237 323 A1 



FIG.2 



NAME 


FUNCTION/CHARACTERISTICS 


HOLD/ 

GENERATION 

POSITION 


Data 


CONTENT DATA: DISTRIBUTED AS ENCRYPTED CONTENT 
DATA ENCRYPTED TO ALLOW DECRYPTION WITH Kc AND 
TAKING THE FORM OF {DatalKc 


DISTRIBUTION 
SERVER 


Data-inf 


ADDITIONAL INFORMATION: PLAIN TEXT INFORMATION RELATING 
TO COPYRIGHT OF CONTENT DATA SERVER ACCESS. ETC. 


DISTRIBUTION 
SERVER 


Kc 


LICENSE KEY: 

DECRYPTION KEY FOR DECRYPTING ENCRYPTED CONTENT DATA 


DISTRIBUTION 
SERVER 


KnfnVKmcCn) 


PRIVATE DECRYPTION KEY UNIQUE TO CLASS OF 
CONTENT REPRODUCING CIRCUIT OR MEMORY CARD 
n: IDENTIRER OF CLASS 


CELLULAR PHONE. 

MEMORY CARD 


KPp(n)/KPmc(n) 


ASYNCHRONOUS PUBLIC ENCRYPTION KEY DECODABLE 
WITH Kp(n)/Kmc(n),RECORDED IN THE FORM OF |Kp(n)lKPma/ 
{KPmc(n)lKPina BEFORE SHIPMENT.DECRYPTED TO PRODUCE 
ADDITIONAL INFORMATION AUTHENTICATING DECRYPTED 
PUBLIC ENCRYPTION KEY Kp(n)/KPmc(n) 
n: IDENTIFIER OF CUSS 


CELLULAR PHONE. 
MEMORY CARD 


Kcom 


DECRYPTION KEY COMMON TO REPRODUCING CIRCUIT, 
UTILIZED FOR DECRYPTION OF ENCRYPTED Kc AND AC2 
(ASYMMETRIC DISTRIBUTION SERVER KPcom/ 
REPRODUCTION CIRCUIT Kcom MAY BE USED.) 


DISTRIBUTION 
SERVER. 

r^CI 1 1 II AO DU^klC 

OtLLULAK rnONt 


i\rma 


Al ITUCMTIO ATTOM l/CV 


DISTRIBUTION 
SERVER . 


AO 


PURCHASE CONDITIONS FOR LICENSE FROM USER SIDE 
(FUNCTION RESTRICTION. NUMBER OF UCENSE(S). ETC.) 


CELLULAR PHONc 


MO 1 


RF^TRtPTinM IMPORMATirsM Cno lUIPMnDV AOPCCC 
r\co I rUL/ 1 iUiN iiNrvjrvivi/\ 1 i*JN rUr\ ivitiVlUrti AoOcoo 


DISTRIBUTION 
SERVER 




OriMTRni IMPHRMATfOM POP RPDRnni ir'TMH PTRPI ITT 


DISTRIBUTION 
SERVER 




DECRYPTION KEY UNIQUE TO EACH MEMORY CARD 
(i: IDENTIRER OF CARD) 


McMOKY UARU 


i\rmu/ 


AQVMMPTDir^ CMPDVDTI/^KI 1/CV nCf^r\r\AQI C lA/ITU l^^fVs 

AoYMivic 1 KiO cMOKYr' 1 lUiN IVtY UbUUUADLb Wll n l\m\i; 


MEMORY CARD 


l\S 1 


SYMMETRIC KEY UNIQUE TO SESSION. GENERATED IN 
EVERY DISTRIBUTION SESSION 


DISTRIBUTION 
SERVER 


Ks2 


SYMMETRIC KEY UNIQUE TO SESSION. GENERATED IN 
EVERY DISTRIBUTION/TRANSFER (RECEIVING) SESSION 


MEMORY CARD 


Ks3 


SYMMETRIC KEY UNIQUE TO SESSION. GENERATED IN 
EVERY REPRODUCTION/TRANSFER (SENDING) SESSION 


MEMORY CARD 


Ks4 


SYMMETRIC KEY UNIQUE TO SESSION. GENERATED IN 
EVERY REPRODUCTION SESSION 


CELLULAR PHONE 


CONTENT ID 


CODE FOR IDENTIFYING CONTENT DATA Data 


DISTRIBUTION 
SERVER 


UCENSE ID 


ADMINISTRATION CODE FOR SPECIFYING ISSUANCE OF UCENSE 
(DETERMINED TOGETHER WITH CONTENT 10 IN SOME CASES) 


DISTRIBUTION 
SERVER 


TRANSACTION 
10 


CODE PRODUCED IN EVERY DISTRIBUTION SESSION 
FOR SPECIFYING DISTRIBUTION SESSION 
(THIS MAY ALSO SERVE AS UCENSE ID.) 


DISTRIBUTION 
SERVER 
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FIG.6 
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FIG.7 
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GENERATE Ks4 AND 
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8226 
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8234 
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S236 
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FIG.14 
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FUNCTION/CHARACTERISTICS 


HOLD/ 

GENERATION 
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Data 


CONTENT DATA: DISTRIBUTED AS ENCRYPTED CONTENT 
DATA ENCRYPTED TO ALLOW DECRYPTION WITH Kc AND 
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DISTRIBUTION 
SERVER 
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DISTRIBUTION 
SERVER 
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LICENSE KEY: 

DECRYPTION KEY FOR DECRYPTING ENCRYPTED CONTENT DATA 
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MEMORY CARD 
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DECRYPTION KEY COMMON TO REPRODUCING CIRCUIT. 
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(ASYMMETRIC DISTRIBUTION SERVER KPcom/ 
Dpppnni IPTTOM pipn in* i^^nm may rf i i<iFn ^ 

KCrrCUuUO 1 IKJn \j\T\\j\Jl 1 IxCOin iVlMT DC UocUJ 


DISTRIBUTION 
SERVER, 

CELLULAR PHONE 


KPma 


AUTHENTICATION KEY 


DISTRIBUTION 

O trXVtK 


AC 


PURCHASE CONDITIONS FOR UCENSE FROM USER SIDE 


CELLULAR PHONE 


AC1 


RESTRICTION INFORMATION FOR MEMORY ACCESS 


DISTRIBUTION 

OCrvV Cr\ 


AC2 


CONTROL INFORMATION FOR REPRODUCING CIRCUIT 


DISTRIBUTION 

CCQX/CR 

ocnvcr\ 


Km(i) 


DECRYPTION KEY UNIQUE TO EACH MEMORY CARD 

^i- inFMTIFIFR OF f^ARH^ 
\\. lUtIN 1 irlCrv Ur Lf/\r\U/ 


MEMORY CARD 


KPm{i) 


ASYMMETRIC ENCRYPTION KEY DECODABLE WITH Km(i) 


MEMORY CARD 


K(i) 


SYMMETRIC ENCRYPTION KEY UNIQUE TO MEMORY 

vl. lUtIM 1 lrlcr\ Ur KjRnUj 


MEMORY CARD 


Ksl 


SYMMETRIC KEY UNIQUE TO SESSION, GENERATED IN 

C\/CDV HTCTDTDI ITIHM CCCCTPiM 
tVtKi Ulo 1 nJbU 1 lUIN oCoolUiN 


DISTRIBUTION 


Ks2 


SYMMETRIC KEY UNIQUE TO SESSION. GENERATED IN 
EVERY DISTRIBUTION/TRANSFER (RECEIVING) SESSION 


MEMORY CARD 


Ks3 


EVERY REPRODUCTION/TRANSFER (SENDING) SESSION 


MEMORY CARD 


Ks4 


SYMMETRIC KEY UNIQUE TO SESSION. GENERATED IN 
EVERY REPRODUCTION SESSION 


CELLULAR PHONE 


CONTENT ID 


CODE FOR IDENTIFYING CONTENT DATA Data 


DISTRIBUTION 
SERVER 


UCENSE ID 


ADMINISTRATION CODE FOR SPECIFYING ISSUANCE OF UCENSE 

(DETERMINED TOGETHER WITH CONTENT ID IN SOME CASES) 


DISTRIBUTION 
SERVER 


TRANSACTION 
10 


CODE PRODUCED IN EVERY DISTRIBUTION SESSION 
FOR SPECIFYING DISTRIBUTION SESSION 
(THIS MAY ALSO SERVE AS UCENSE ID.) 


DISTRIBUTION 
SERVER 



34 



EP1237 323A1 



in 

d 

LL 




35 



EP 1 237 323 A1 




36 



EP 1 237 323 A1 




37 




38 



EP 1237 323 A1 



FIG.19 



CELLULAR PHONE 



C START ) 

^ s2or 



REQUEST REPRODUCTION 
(KEY OPERATION BY USER) 
AND DESIGNATE BANK j 



GENERATE Ks4 AND 

ENCRYPT IT WITH 

Ks3 TO OUTPUT {Ks4lKs3 



8214 



RECEIVE ({Kc//AC2}Kcom}Ks4 
AND DECRYPT IT WITH Ks4 
TO ACCEPT (Kc//AC2)Kcom 



T 



S226 



DECRYPT {Kc//AC2}Kcom 
WITH Kcom TO ACCEPT 
Kc AND AG2 



NOT 
f?EPRODUCIBLE 




S228 



REPRODUCIBLE 



DECRYPT {DatalKc WITH Kc 
TO OBTAIN MUSIC DATA 
Data IN PLAIN TEXT 



S234 



REPRODUCE MUSIC FROM 
PLAIN TEXT MUSIC DATA Data 

ir S236 
— -J ^ 

C END ) S240 



MEMORY CARD 



RECEIVE |Ks4iKs3 AND 
DECRYPT IT WITH Ks3 
TO ACCEPT Ks4 



NOT 

REPROOUCIBLE 



UNRESTRICTEDLY 
DETERMINE ACI^PROOUCIBLf 

IN UCENSE INFORMATION 
HOLDING PORTION 

S218 



REPRODUCIBLE ONLY 
RESTRICTED TIMES 



UPDATE AC1 IN UCENSE INFORMATION 
HOLDING PORTION (UPDATE ALLOWED 
TIMES OF REPRODUCTION) 



S220 



DECRYPT {(Kc//AC2)Kcom//UCENSE ID// 
CONTENT ID//AC1}K(1) OF REQUESTED SONG 
RECORDED IN MEMORY WITH K(1) TO OBTAIN 
{Kc//AC2}Kcom 



ENCRYPT {Kc//AC2lKcom 
WITH Ks4 TO OUTPUT 
((Kc//AC2)Kcom]Ks4 



S222' 



S224 



OBTAIN AND OUTPUT {DatajKc OF 
REQUESTED SONG RECORDED IN MEMORY 



8232 



39 



• 



EP 1237 323 A1 




40 



• 



EP1237 323A1 



o 

< 
o 

>- 

q: 
o 

5 
m 
2 



o 

Ul 

z 
o 

X 

a 

a: 



d 

UJ 

O 



Q E 
— • o 

2^ 

Ul <><J 
HO 
2< 

LUOO 

o<< 
o < n 



ai 

CO 
UJ 

o 

E CM 

o £ 

cr:< 
^^^^ 



o 
< 

Q 
2 
< 

9 

h- 
z 

22 
OH 

QQ. 

2o 
UJ _j 

□ x 

02 

0:13 



o 
ti- 
ro 
► CO 

O 



o 

o 



UJ 

z 
O 
X 

a 



-J 

UJ 

o 



CO 
CVJ 
C9 
CO 



O 
CO 
CO 

CO 



CO 
CM 
CO 

CO 



Q 

< 
O 

>- 
CC 

o 

5 

UJ 

2 



CM 
CO 
CO 

2" 
O 

tr 
u. 



CM 

d 



Z 

UJ 

Q< 



So 
ujH 

20 
UJ^ 

it: o 

O UJ 

\2 E 



COQnc 
< UJ ft 

o^-z 

ujOp 

PqO 

Q<Q 

UJ -J 

29o 

HZz 

Pi 

£o< 
^ .a 



z 

UJ 

h- 

z 
o 
o 

^ 

o 

UJ 
CO 
2 
UJ 



:>^zujo e 

7i Lu CO cc o 
E^ 

UJ^U.^£=2 



si 

si 



o9 

X2 
to 

go 

ET. 



CO 



-^CO 
O 



41 



EP 1 237 323 A1 




42 



EP1 237323A1 



FIG.23 



NAME 


FUNCTION/CHARACTERISTICS 


HOLD/ 

GENERATION 

POSITION 


Data 


CONTENT DATA- DISTRIBUTED AS ENCRYPTED CONTENT 
DATA ENCRYPTED TO ALLOW DECRYPTION WITH Kc AND 
TAKING THE FORM OF (DatalKc 


DISTRIBUTION 
SERVER 


Data-Inf 


AODrnONAL INFORMATION: PLAIN TEXT INFORMATION RELATING 
TO COPYRIGHT OF CONTENT DATA SERVER ACCESS ETC 


DISTRIBUTION 

<?FRVFR 

O k. 1 \ V I— 1 \ 


Kc 


UCENSE KEY: 

DFCRYPTION KFY FOR DFCRYPTINfi FMCRYPTFD CONTFNT RATA 


DISTRIBUTION 


KnfnVKmr(n) 


PRIVATE DECRYPTION KEY UNIQUE TO CLASS OF 
CONTENT REPRODUCING CIRCUIT OR MFMORY CARD 
n: IDENTIRER OF CLASS 


CELLULAR PHONE. 
MEMORY CARD 


KPp(n)/KPmc(n) 


ASYNCHRONOUS PUBLIC ENCRYPTION KEY DECODABLE 
WITH Kp(n)/Kmc(n).RECORDED IN THE FORM OF lKp(n)lKPma/ 
(KPnic(n)lKPma BEFORE SHIPMENT,DECRYPTED TO PRODUCE 
ADDITIONAL INFORMATION AUTHENTICATING DECRYPTED 
PUBUC ENCRYPTION KEY Kp(n)/KPmc(n) 
relDENTlRER OF CLASS 


CELLULAR PHONE 
MEMORY CARD 


KPma 


AU 1 HtN 1 iSjIK \ lUN l\tT 


DISTRIBUTION 
SERVER 


AC 


PURCHASE CONDITIONS FOR UCENSE FROM USER SIDE 
(FUNCTION RESTRICTION. NUMBER OF UCENSE(S). ETC.) 


CELLULAR PHONE 


AC1 


RESTRICTION INFORMATION FOR MEMORY ACCESS 


DISTRIBUTION 
SERVER 


ACZ 


00m KOLlNhORMATION FOR REPRODUCING CIRCUIT 


DISTRIBUTION 
SERVER 




DECRYPTION KEY UNIQUE TO EACH MEMORY CARD 
(1: IDENTIFIER OF CARD) 


MEMORY CARD 


KrinU> 


AbYMMblniO tNt/KY r 1 lUN KhY UtoUUADLh Wlln Kmli; 


MEMORY CARD 


Ksl 


SYMMETRIC KEY UNIQUE TO SESSION, GENERATED IN 
EVERY DISTRIBUTION SESSION 


DISTRIBUTION 
SERVER 


Ks2 


SYMMETRIC KEY UNIQUE TO SESSION, GENERATED IN 
EVERY DISTRIBUTION/TRANSFER (RECEIVING) SESSION 


MEMORY CARD 


Ks3 


SYMMETRIC KEY UNIQUE TO SESSION, GENERATED IN 
EVERY REPRODUCTION/TRANSFER (SENDING) SESSION 


MEMORY CARD 


Ks4 


SYMMETRIC KEY UNIQUE TO SESSION, GENERATED IN 
EVERY REPRODUCTION SESSION 


CELLULAR PHONE 


CONTENT ID 


CODE FOR IDENTIFYING CONTENT DATA Data 


DISTRIBUTION 
SERVER 


LICENSE 10 


ADMINISTRATION CODE FOR SPECIFYING ISSUANCE OF UCENSE 
(DETERMINED TOGETHER WITH CONTENT ID IN SOME CASES) 


DISTRIBUTION 
SERVER 


TRANSACTION 
ID 


CODE PRODUCED IN EVERY DISTRIBUTION SESSION 
FOR SPECIFYING DISTRIBUTION SESSION 
(THIS MAY ALSO SERVE AS LICENSE ID.) 


DISTRIBUTION 
SERVER 



43 



« 



EP1 237 323A1 



-I 



CSJ 

d 




44 



EP1 237 323A1 



to 

CM 

d 




45 



0 



♦ 

EP1 237 323A1 





LULUO 




O 



CO 















E 
















\ 




\ 




o 


Q 


z 


Z 




o 




p 


o 


o 


< 


< 


CO 


CO 




< 




cr 






H 


^ 


1- 


UJ 


Q. 


UJ 


O 


O 


UJ 


O 


QC 


< 



cr 

UJ 

UJ 

CO 



CO 

CM 

d 



CO 

E 
CL 

8| 

UJO 

>^ 

UJ ^ 

si 




<o 



CM 

Uco 



o 

CO 



o 
E 

>UJ 

UJ O 

<o 



1-^ 



UJ 



OQ 

UJ 
CM h- 

^ « 

v: 

Si 

UJ. 

crb 



CO ^ 
CO 



d< 

<Q 

Qi 
<o 

oT 

3^ 

UJ O 
COO 

5o 
no 

UJ S 

oo 
Dcr 
oo 
oq 
erg 



UJ 
CO 

< 

GQ 

< 
Q 

o 

(T 
U. 

u 
)^ 

2 

o 



CO 

o 



-^co 
o 



46 



EP 1237 323 A1 




47 



EP1237 323A1 




48 



EP 1237 323 A1 



RG.29 



CELLULAR PHONE 



MEMORY CARD 



C START ■) 

r 



S201 



REQUEST REPRODUCTION 
(KEY OPERATION BY USER) 



GENERATE Ks4 AND 

ENCRYPT IT WITH 

Ks3 TO OUTPUT {Ks4}Ks3 



S214 



RECEIVE lKs4}Ks3 AND 
DECRYPT IT WITH Ks3 
TO ACCEPT Ks4 



S216 



NOT \^ UNRESTWCTEDLY 

REPRODUClBl£,x^jERl^j|yjE /^ci^^P"^^'^^^ 
In UCENSE INFORMATION 
J<OLDING PORTION 

8218 

REPRODUCIBLE ONLY 
r RESTRICTED TIMES 



UPDATE AC1 IN UCENSE INFORMATION 
HOLDING PORTION (UPDATE ALLOWED 
TIMES OF REPRODUCTION) 



S220 



DECRYPT {Kc. AC2//UCENSE ID//CONTENT ID 
//AC1)K(1) OF REQUESTED SONG RECORDED 
IN MEMORY WITH K(1) TO OBTAIN Kc AND AC2 



DECRYPT {Kc//AC2}Ks4 WITH 
Ks4 TO ACCEPT Kc AND AC2 



NOT 

REPRODUCIBLE. 




S226a: 
REPRODUCIBlf: 



ENCRYPT Kc AND AC2 WITH 
Ks4 TO OUTPUT {Kc//AC2]Ks4 



S222a 



S224a 



S230 



DECRYPT {DatalKc WITH Kc 
TO OBTAIN MUSIC DATA 
Data IN PUIN TEXT 



± 



OBTAIN AND OUTPUT {DatalKc OF 
REQUESTED SONG RECORDED IN MEMORY 



S234 



S232 



REPRODUCE MUSIC FROM 
PLAIN TEXT MLJSIC DATA Data 

§236 

C END ) S24Q 



49 



EP1 237 323A1 




50 



EP1 237 323A1 



Q 

a: 
< 
o 

>- 
d: 
o 



o 

liJ 
2: 
O 
X 
Q. 



LU 

o 



9^ 
1- ^ 

Z o 

LUGO 

*~ cvj IT! 
> Eoo 

Soo 
Q<!3 



Z 
OI 
H 
Z 
O 

o 



CNJ LU 

8^ 



zo 

o 

UJOO 
Q\0 



00 

CO 
CO 



O 
< 
Q 

< 



z 

-J? 

coZ 
OLD 

0:3 



o 

CO 



CO 

o 

LU 

z 
o 

X 

a 

a: 



UJ 

o 



CO 

eg 

CO 

CO 



<D 
CSJ 
CO 

CO 



Q 
< 
> 

a: 
O 

lU 

2 



CO 

CO 
O 

q: 



9x 

\ uu 

<: z <^ 

a:<< 

UJ ^ CO 

oGo 



is 



0)2 



3 S 



liJ|_ 
< UJ 

o o 

z^ 

LU $ 



o 

X 

z 
o 

ill 

'-Hill 



o 



UJ O 
CO q: ^ 

9 1- ^ 



CD 

o 

CO 
CO 



2^5 

PI 

Z 13 \ 
eg « r- 

O'PLU 

zgo 



CO 
CO 

-^<o 



51 



EP 1 237 323 A1 




52 



EP1237 323A1 



INTERNATIONAL SEARCH REPORT 



Intctn&tiooal applicatioa N«. 

PCT/JPOO/08615 



A. CLASSfflCATION OF SUBJECT MATTER 

Int.Cl^ B04L9/OB, H04L9/32, G09C1/00, G06P17/60 



According to Iptcraationai Patent Ciassificadon (IPC) or to both national cl««ification and IPC 



B. FIELDS SEARCHED 



Minimum documentation searched (classification system followed by classification symbols) 
Int. CI' H04L9/08, H04L9/32, G09C1/00, G06P17/60 



Documentation searched other than minimum documentation to the extent that such documents are included in the fields searched 
JiCsuyo Shinan Kdho 1926-1996 Torolcu JiCeuyo Shinan Koho 1994-2001 

Ko3cai Jitsuyo Shinan Kdho 1971-2001 Jitsuyo Shinan Toroku Kbho 1996-2001 



Etectzonic data base consulted during the international search (name of data base and, where practicable, search temis used) 



C. DOCUMENTS CONSIDERED TO BE RELEVANT 



Category* 



Citation of document, with Indication, where appropriate, of the relevant passages 



Relevant to daJm Na 



JP, 10-40172, A (Toshiba Corporation), 

13 February, 1998 (13.02.98), 

Full text; Figs. 1 to 4 (Family: none) 

JP, 11-265317, A (Nippon Telegr. & Teleph. Corp. <NTT>) , 
26 September, 1999 (26.09.99), 

Par. Nos. [0001], [0037] to C0044}; Pigs. 1 to 10 
(Family: none) 



Kiyoshi YAMANAKA, et al., "Multimedia on demand Service 
nl okeru Joho Hogo System", MTT R&D, Vol.44, No. 9 
(10.09.95) pp. 813-818 

JP, 11-306673, A (Toshiba Corporation), 
05 November, 1999 (05.11.99), 

Par. Nos. [00051, [0017] to (0018J , [0020] tO (0027J ; 
Figs. 1 to 15 (Family: none) 



SexgoKOTANi, etal., "Secure PC Card", FUJITSU, Hayl998, 
VOL.49, NO. 3 



1-13 



1-13 



1-13 



1-13 



1-13 



^ FurtberdocuDeats are listed in the coQtinuatioQ of Box C. Q See petentfkmily annex. 



special caicgories of cited doounents: 
"A* document defining the ^encml state ofthetttwfaidi is not 

considtnd to be of paiticuUr rele>aflce 
*^ evlier document bot published on or aikci the imenulionairding 
date 

X" dxument which nay throw doubts on priority ctalni(s) or which is 
cited to establish the publication dale ofsnother citation or odier 
speetal leasoo (ss specified) 

"Cr documem rtforing io in oral disclosai^ nse, exhibitioa or other 



*V docuinent published prior to the intemationaJ filing date but later 
than the priority date claimed ^^^^ 



T* later doGUjnestpuhlJshfid after die mtenuoionainiiiig date or 
priority date and not In conflict with the appUcatioo but cited to 
undo^tiad die principle or iheoiy underlying the invcntioa 

*X* document of paiticulir relevwce; the darned tnvemiQa cannot be 
considered novel or canaoi be considmd to iavirfve an inventive 
step when thedooumeat is taken alone 

*Y* document of paxticalarielcvaDcr, the claimed inTcnUoDCuuut be 
considaed to involve an inveniive step when (he dociuneni is 
ccnbinBd witfi one or more other such docuttcnta, sbA 
coaibmation being obvious to a person skilled in the art 

"A* docvment member of die same patent fisniiy 



Date of the actual completioD of the intenationa] search 
06 March, 2001 (06.03.01) 



Date of mailing of the intcmationa] search repoit 
13 March, 2001 (13.03.01) 



Name and mailing address of the ISA/ 
Japanese Patent Office 

Facsimile No. 



Authonzed officer 
Telephone No. 



Fonn PCT/ISA/210 (second sheet) (July 1992) 



53 



EP1237 323A1 



INTERNATIONAL SEARCH REPORT 



IntenationaJ application No. 

PCT/JPOO/08615 



CCCootimiation). DOOJMENTS CONSIDERED TO BE ROEVANT 



Cotegoiy* 



Citation of document, with indicatiooL wbere appropriate, of the lelevant passagea 



Relevant to claim No. 



(05.1998) pp. 246-249 

JP, 11-X54944, A (NTT DATA CORPORATION), 

08 June, 1999 (08.06.99), 

Full text; Figs. 1 to 9 (Family: none) 



1-13 



Fcam FCT/lSA/210 (continuation of second sheet) (July 1992) 



54 



